Ransomware DataBreachToday.com

Individual Vulnerability Severity Not Always a Good Measure of Risk Exposure
A mainstay of IT security programs across the world, the Common Vulnerability Scoring System, may have terminal flaws when applied to the mirror universe of operational technology - a place where ordinary assumptions about risk don't apply.

Program Offers Up to $100K for Security Upgrades and $50K for Assessments
New York is rolling out new cybersecurity regulations for water and wastewater utilities, requiring operators to conduct risk assessments and deploy security controls while offering $2.5 million in grants to strengthen defenses against rising cyberthreats targeting critical infrastructure.

House Democrats Demand Probe Into Former CISA Head Gottumukkala Poly Failures
Five U.S. Democratic lawmakers called for an investigation into a series of escalating controversies surrounding Cybersecurity and Infrastructure Security Agency leadership, following allegations that ex-Acting Director Madhu Gottumukkala bypassed established intelligence protocols.

Directory Traversal Flaw Found in Companies House
The British government's company register service temporarily deactivated its online filing service after someone found a serious vulnerability that allowed people to access directors' sensitive personal data and potentially even amend companies' records or file bogus accounts on their behalf.

An identity-based microsegmentation deployment at Main Line Health in Philadelphia is helping to control how its roughly 60,000 devices communicate across the network in order to protect clinical operations and limit the impact of potential cyberattacks, said Main Line Health CISO Aaron Weismann.

Bold Plan Raises Hard Questions About Execution, Liability and Oversight
The Trump administration's national cyber strategy calls for a stronger partnership between the federal government and private companies, heralding a shift in the ways private enterprise could participate in offensive operations against nation-state adversaries, ransomware gangs and cybercriminals.

Also: the Pentagon-Anthropic AI Legal Showdown, the New Reality of Document Fraud
In this week's panel, four ISMG editors discuss the cyber activity tied to the U.S.-Israel-Iran conflict, the Pentagon's standoff with AI firm Anthropic and a new report that reveals how document fraud reflects deeper weaknesses in verification systems.

New Startup Says Cloud-Heavy Models Do Not Scale for Large Enterprises
Bold Security exited stealth with $40 million to build an endpoint platform for the artificial intelligence era. CEO Nati Hazut said companies can no longer rely on older controls as employees and AI agents access data locally, creating new blind spots around apps, files and device activity.

Rising Liability Risks Are Reshaping the CISO Role and Cybersecurity Leadership
As regulators pursue accountability after major breaches, CISOs face growing personal liability. This is changing how security leaders report risk, weakening security culture and making the role less attractive to experienced practitioners.

Real and intense financial pressures on rural and small healthcare clinics mandate making difficult decisions on allocating funds to cybersecurity, said Greg Sieg, CISO at the University of Michigan Regional Health Network. "The funding is just not there."

Attorneys can conduct security risks assessments under the color of client privilege, making it less likely to surface in discovery during litigation. But healthcare firms should consider the cons before they take that route, said attorney Adam Greene, partner at the law firm Davis Wright Tremaine.

Cybersecurity Startup Exposed Lilli Using a Flaw as Old as the Web
Security startup CodeWall disclosed this week that its autonomous AI agent breached McKinsey's internal AI platform Lilli in two hours on Feb. 28, accessing tens of millions of messages and hundreds of thousands of files through a basic, years-old database flaw.

Cybersecurity Requirements Could Clash With Right-to-Repair
Automakers are generally on track to implement new EU cybersecurity requirements in tailpipe emissions regulations instigated by the long shadow of Volkswagen's emissions scandal, but there could be a clash between those new rules and others that are intended to guarantee the right-to-repair.

For the U.S. healthcare ecosystem, the 2024 ransomware attack on Change Healthcare proved to be a supply-chain earthquake in showcasing critical third-party risk that entities now must carefully and urgently consider, said Erik Decker, CISO of Intermountain Health and a federal cyber adviser.

Medical device cyber challenges are among the most complex for manufacturers and healthcare delivery organizations for a variety of reasons, but there are some promising developments underway that could help ease the pain, said Phil Englert of the Health Information Sharing and Analysis Center.

Healthcare Hit Shows Symbols Matter as Iran Shifts Focus to Economic Damage
Cybersecurity experts say that the Handala "hacktivist" group that claimed credit for attacks against two American firms on Wednesday is run by the Iranian government. The shift to destructive cyberattacks parallels Iran's attempt to inflict greater economic damage on the United States and allies.

Also, More ClickFix Attacks and Teen Booters Arrested in Poland
This week, Russian hackers targeted Signal and WhatsApp users, permit-fee phishing hit U.S. applicants, ClickFix on WordPress sites, Microsoft patched 80 bugs, a 14K-router botnet, Polish teens held over DDoS tools and Finland warned of Russian, Chinese espionage. North Korean IT workers for hire.

Company Says Supply-Chain Risk Label Threatens Billions in Contracts
Anthropic filed an emergency motion asking a federal appeals court to block a Defense Department decision labeling the AI developer a national security supply-chain risk. The company says the move could cost billions and followed its refusal to weaken AI safety restrictions.