DataBreachToday.com

Security by Design or Be Fined, Committee Suggests
A U.K. parliamentary committee is recommending a new statute forcing software publishers to hew to secure-by-design principles or else face financial penalties. The committee called for "enforcement agencies" empowered to levy fines to monitor industry for compliance.

Cyber Advisory Cites Abuse of Linked Devices to Monitor Sensitive Communications
The U.S cyber defense agency issued an alert outlining how commercial spyware and state-aligned groups are abusing messaging-app features through malicious QR-based linking and zero-click exploitation to monitor U.S. government, military and other high-profile figures.

JP Morgan Chase, Citi and Morgan Stanley Among Banking Customers Impacted
Major U.S. banks are assessing their exposure to a cybersecurity incident at real estate financial technology company SitusAMC, which disclosed Saturday that a breach may have affected client data. The New York firm uncovered the incident on Nov. 12.

Mindpath Health Settles Claim for $3.5M; Delta Dental Notifies 146,000 of Breach
Email breaches continue to plague the healthcare sector, resulting in data compromises that often affect the sensitive information of scores of patients. Two recent incidents illustrate the risks email breaches pose to patients, and the potential legal fallout for providers.

Israeli Startup Plans to Integrate AI Agent Guardrails Into Cloud Platform
Sweet Security secured $75 million in Series B funding to integrate AI security into its CNAPP platform. With runtime protection as its differentiator, the startup plans to address growing CISO concerns over shadow AI and attack vectors involving intelligent agents.

Lawmakers Say Reversal Strips One of Few Enforceable Standards for Major Carriers
The U.S. FCC's move to scrap its short-lived interpretation of the Communications Assistance for Law Enforcement Act - the 1994 statute known as CALEA - sparked warnings that the agency just eliminated one of the few enforceable cybersecurity tools for the telecom sector.

3-Year Espionage Campaign Targeted Taiwanese Firms
Chinese nation-state group APT24 targeted multiple Taiwanese companies as part of an espionage operation that went undetected for three years. The hacking group continually updated its malware infrastructure and tactics, enabling it to stay under the radar, Google Cloud said.

Researchers Were Able to Query 3.5 Billion Accounts
Security researchers were able to scoop up the telephone numbers of billions of WhatsApp users through an enumeration tool provided by app owner Meta. The sheer quantity of leaked numbers - 3.5 billion in total - would amount to "the largest data leak in history."

HSCC 'Model Contract' Calls for Shared Cyber Risks for Providers and Device Makers
Newly revised "model contract language" guidance from the Health Sector Coordinating Council provides an updated reference document to help healthcare providers and medical device makers better articulate and evaluate cyber considerations when negotiating purchases of products and services.

High-Profile Case Ends After Judge Guts SEC’s Cyber Fraud Allegations
The SEC has dropped its remaining claims against SolarWinds and CISO Tim Brown, ending a controversial cyber fraud lawsuit that aimed to expand securities law to cover operational security failures tied to the 2020 Russian hacking campaign.

Experts Detail Upsides of Bug Bounties and Getting Devices Into Researchers' Hands
As fresh vulnerabilities in hardware keep coming to light, one question remains: What vendors can do to better prevent, identify and eradiate flaws? One shortlist offered by veteran hardware hackers centered on the upsides of engagement, including bug bounty programs.

Leaked Executive Order Would Strip States of Power to Regulate AI Tech Firms
A leaked draft executive order would empower federal agencies to override state AI laws, threatening federal funds for noncompliance and creating a litigation task force - drawing sharp backlash over executive overreach and potential harm to consumers.

Class Action Litigation and Criminal Case Focus on Actions of an Ex-Tech Worker
A federal court has granted preliminary approval of a $5 million settlement in class action litigation filed against Pennsylvania-based Geisinger Health and Nuance Communications - now part of Microsoft - involving a 2023 insider data breach affecting more than 1 million Geisinger patients.

European Cybersecurity Agency Can Assign CVE IDs and Publish CVE Records
The European Union Agency for Cybersecurity is poised to take on a greater role in coordinating vulnerability disclosures across the trading bloc with its elevation as a "Root"-level participant in the Common Vulnerabilities and Exposures program.

Salesforce Revoked Gainsight Authentication Tokens
Customer relationship management giant Salesforce is again notifying customers that hackers may be stealing their data through a third-party app. The San Francisco company late Wednesday disclosed that apps published by Gainsight connected to Salesforce instances may have "enabled unauthorized access."

Avoid Roadblocks to Your Advancement, Optimize Your Professional Throughput
Career latency is not an indictment of your ability. Understanding what creates latency in your professional life and how to address it is an essential component of long-term growth. With a diagnostic mindset and a willingness to optimize, you can restore throughput and move forward with purpose.

Michael Leland of Island on How to Enhance Credential Security
From infostealers to phishing, almost 90% of all data breaches now involve the use of stolen credentials - leading to billions of dollars in losses. Michael Leland of Island opens up on the role of the modern enterprise browser in mitigating these risks created by compromised credentials.