DataBreachToday.com

Directory Traversal Flaw Found in Companies House
The British government's company register service temporarily deactivated its online filing service after someone found a serious vulnerability that allowed people to access directors' sensitive personal data and potentially even amend companies' records or file bogus accounts on their behalf.

Rising Liability Risks Are Reshaping the CISO Role and Cybersecurity Leadership
As regulators pursue accountability after major breaches, CISOs face growing personal liability. This is changing how security leaders report risk, weakening security culture and making the role less attractive to experienced practitioners.

Real and intense financial pressures on rural and small healthcare clinics mandate making difficult decisions on allocating funds to cybersecurity, said Greg Sieg, CISO at the University of Michigan Regional Health Network. "The funding is just not there."

Attorneys can conduct security risks assessments under the color of client privilege, making it less likely to surface in discovery during litigation. But healthcare firms should consider the cons before they take that route, said attorney Adam Greene, partner at the law firm Davis Wright Tremaine.

An identity-based microsegmentation deployment at Main Line Health in Philadelphia is helping to control how its roughly 60,000 devices communicate across the network in order to protect clinical operations and limit the impact of potential cyberattacks, said Main Line Health CISO Aaron Weismann.

Cybersecurity Requirements Could Clash With Right-to-Repair
Automakers are generally on track to implement new EU cybersecurity requirements in tailpipe emissions regulations instigated by the long shadow of Volkswagen's emissions scandal, but there could be a clash between those new rules and others that are intended to guarantee the right-to-repair.

Bold Plan Raises Hard Questions About Execution, Liability and Oversight
The Trump administration's national cyber strategy calls for a stronger partnership between the federal government and private companies, heralding a shift in the ways private enterprise could participate in offensive operations against nation-state adversaries, ransomware gangs and cybercriminals.

Also: the Pentagon-Anthropic AI Legal Showdown, the New Reality of Document Fraud
In this week's panel, four ISMG editors discuss the cyber activity tied to the U.S.-Israel-Iran conflict, the Pentagon's standoff with AI firm Anthropic and a new report that reveals how document fraud reflects deeper weaknesses in verification systems.

New Startup Says Cloud-Heavy Models Do Not Scale for Large Enterprises
Bold Security exited stealth with $40 million to build an endpoint platform for the artificial intelligence era. CEO Nati Hazut said companies can no longer rely on older controls as employees and AI agents access data locally, creating new blind spots around apps, files and device activity.

For the U.S. healthcare ecosystem, the 2024 ransomware attack on Change Healthcare proved to be a supply-chain earthquake in showcasing critical third-party risk that entities now must carefully and urgently consider, said Erik Decker, CISO of Intermountain Health and a federal cyber adviser.

Medical device cyber challenges are among the most complex for manufacturers and healthcare delivery organizations for a variety of reasons, but there are some promising developments underway that could help ease the pain, said Phil Englert of the Health Information Sharing and Analysis Center.

Gartner's Wam Voster on Potentially Harmful AI Decision Systems in OT Environments
Industrial environments already face potential cyberthreats that could lead to downtime. But now with AI agents poised to control operational decisions, factory managers need to watch for new safety risks for cyber-physical systems, said Wam Voster, vice president analyst at Gartner.

Also, More ClickFix Attacks and Teen Booters Arrested in Poland
This week, Russian hackers targeted Signal and WhatsApp users, permit-fee phishing hit U.S. applicants, ClickFix on WordPress sites, Microsoft patched 80 bugs, a 14K-router botnet, Polish teens held over DDoS tools and Finland warned of Russian, Chinese espionage. North Korean IT workers for hire.

Company Says Supply-Chain Risk Label Threatens Billions in Contracts
Anthropic filed an emergency motion asking a federal appeals court to block a Defense Department decision labeling the AI developer a national security supply-chain risk. The company says the move could cost billions and followed its refusal to weaken AI safety restrictions.

'Cyber Android RAT' Can Capture WhatsApp History, Crypto Seed Phrases
Cybercriminals are advertising on criminal hacking online boards an Android remote access Trojan that can steal victims' WhatsApp conversation history, surveil them in real time and extract cryptocurrency seed phrases for the low price of about $500 a month.

Startup Platform Targets Autonomous Detection and Exposure Management
Cybersecurity startup Kai emerged from stealth with $125 million in funding led by Evolution Equity to develop an agentic AI platform that automates exposure management, threat intelligence, analysis and detection workflows while helping security teams remediate vulnerabilities faster.

Vendor Combines AI Attack Agents, Human Experts to Simulate Real-World Cyberattacks
Offensive security startup Armadin secured nearly $190 million in funding to expand a platform that uses AI agents to automate red-team operations. The technology enables companies to continuously test defenses and uncover attack paths that traditional consulting engagements often miss.