DataBreachToday.com

US Cyber Defense Agency Pushes for Automation and Machine-Readable Data in SBOMs
The Cybersecurity and Infrastructure Security Agency released a draft update to its Software Bill of Materials minimum elements guidance, adding components to push SBOMs toward automated, operational use in supply chain risk tracking - while also addressing gaps in standardization and visibility.

Researchers Show How AI Image Downscaling Can be an Attack Vector
Researchers discovered a method to embed invisible prompt injections that are activated during AI's processing of an image. When the model scales down these images, the hidden malicious instructions allow theft of data from popular image production systems.

Stolen DaVita Data Leaked on Dark Web by Ransomware Gang Interlock
Months after cybercriminal gang Interlock claimed to have stolen more than 1.5 terabytes of patient data from kidney dialysis chain DaVita, the company told federal regulators that the cyberattack first disclosed in April has affected nearly 2.7 million people.

Second Cyber IPO Filing of 2025, Netskope Shows Huge Reliance on Channel Partners
Netskope became the second cybersecurity company to pursue an initial public offering this year, revealing increased sales, improved losses and a heavy reliance on channel partners. Nearly 95% of its $328.5 million in revenue in the first half of fiscal year 2025 flowed through indirect channels.

Threat Actors Accessed, Stole Data for About 2 Months; BianLian Claims Credit
A health system in rural Michigan is notifying nearly 140,000 people that their information was potentially compromised in a data theft incident occurring between November 2024 and January 2025. Cybercriminal gang BianLian lists Aspire Rural Health System as a victim on its dark website.

Also: New 'Quishing' Tactics, Pro-Houthi Hacker Sentenced to 20 Months
This week, a Scattered Spider hacker sentenced, new squishing tricks, a pro-Houthi hacker gets 20 months in the United Kingdom, a Taiwanese web hosting provider hacked, the Business Council of New York and Ohio Medical Cannabis Center breached, North Korean hackers target Seoul and an Apple Patch.

Settlement Is Latest Among Scores of Other MOVEit Lawsuits Still Pending
Nuance Communications, a Microsoft subsidiary, has agreed to pay $8.5 million to settle class action litigation filed after hackers exploited a zero-day flaw in Progress Software's MOVEit file transfer software in 2023, stealing data belonging to more than a dozen of Nuance's healthcare clients.

CEO Amir Ben-Efraim: Acquisition Adds AI-Powered File Sanitization to Browser Tools
Through its acquisition of Votiro, Menlo Security has embedded file-level sanitization and AI-powered detection directly into its enterprise browser stack. CEO Amir Ben-Efraim says the move helps prevent malware, data leaks and phishing risks at the browser level.

Copilot Falls for Prompt Injection Yet Again
Microsoft quietly fixed a flaw that allowed users to instruct embedded artificial intelligence model Copilot not to log its access corporate files. "If you work at an organization that used Copilot prior to Aug 18, there is a very real chance that your audit log is incomplete."

Also: Coinbase's Misconfigured Smart Contract, GMX Repayment Plans
This week, a Ponzi scammer must pay $228 million, Google clarified Play Store non-custodial wallet rules, Coinbase misconfiguration, GMX repayment, BtcTurk halted transfers, bank groups wrote lawmakers. Prosecutors seized funds. The Federal Reserve ended a special oversight program. Hong Kong published new rules.

Trag's Developer-Centric Tools Help Aikido Slash Time to Market by 12 Months
Aikido Security acquired Trag, an AI-native code review startup, to bring repository-wide review capabilities to its platform. The acquisition accelerates delivery of new features, such as logic risk detection and English-language rule writing, aimed at beating legacy rivals.

State-Sponsored Espionage Group Tied to Exploits of No-Longer-Supported Cisco Gear
Russian intelligence hackers are using obsolete and unpatched equipment made by networking mainstay Cisco Systems to further stealthy and ongoing cyberespionage operations, the U.S. federal government warned Wednesday. Hackers exploit a vulnerability in the Smart Install feature of Cisco devices.

Workers Reject Traditional Advancement for Flexible, Purpose-Driven Career Paths
In 2025, professionals are abandoning the traditional career ladder for lateral moves and purpose-driven roles. Employers must adapt their advancement models or risk losing top talent, especially in critical fields like cybersecurity where flexibility matters most.

Hacking Was the Easy Part, Notifying McDonald's the Extremely Difficult Bit
A security researcher gained access to McDonald's global marketing portal by changing a single word in its URL, uncovering a slew of additional vulnerabilities. The hard part was notifying the burger giant about the flaws, says self-described ethical hacker "BobDaHacker."

Inotiv Inc. Tells SEC Some Business Operations Disrupted, No Recovery Date in Sight
Inotiv, a drug research and development firm, told federal regulators that it's been dealing with a cyberattack since Aug. 8 that has encrypted some IT systems and data, and is disrupting certain business operations. Ransomware gang Qilin has listed the company as a victim on its dark website.

Claude Models May Shut Down Harmful Chats in Some Edge Cases
Anthropic introduced a safeguard to its Claude artificial intelligence platform that allows certain models to end conversations in cases of persistently harmful or abusive interactions. The company said it's doing so not to protect human users, but as a way to mitigate risks to the models.

Successful Breaches Renew Fears of Operational Vulnerabilities Across Water Sector
Russia is suspected of escalating cyberattacks on European water utilities, including attempts to sabotage Polish and Norwegian water facilities and dams, signaling a broader threat to global critical infrastructure as state-backed actors exploit critical OT weaknesses amid global conflict.

Practical Guide to Architect, Govern, Scale AI Agents for Enterprise Transformation
Part 1 of this two-part feature on agentic AI covered how the autonomous systems shift enterprises from reactive generative AI to autonomous, accountable systems. Part 2 provides a practical blueprint for architecting, governing and scaling agentic AI to deliver enterprisewide transformation.