Ransomware DataBreachToday.com

3 Major Tech Firms Shipped Vulnerable Open-Source Tools to Hugging Face
Researchers discovered remote code execution vulnerabilities in three AI libraries from Apple, Salesforce and Nvidia used by models with tens of millions of Hugging Face downloads, allowing attackers to hide malicious code in model metadata.

Growing Third-Party Breach Trend Is Spreading to AI Suppliers
IT organizations have built processes for reducing vendor risk, but in the AI era, that operating model is being dismantled. Modern AI environments are built on dynamic external foundational models, countless APIs, open-source components and continuous data pipelines that pose risks.

Black Duck Researchers Discover Flaw in Widely Used Broadcom Chipset
A flaw in Broadcom chipsets commonly used in wireless routers allows attackers to repeatedly knock offline the 5 gigahertz band, no matter how strong the security settings, say researchers.

Former AWS Exec Nancy Wang to Lead 1Password's Agentic AI Security Strategy
1Password named former AWS executive Nancy Wang as chief technology officer to oversee the evolution of its platforms to manage new artificial intelligence-driven workflows. "Agents are really their own class of identities," Wang said.

NIST Seeks Input to Protect AI Systems Used in Government, Critical Infrastructure
The National Institute of Standards and Technology is seeking public input from security experts and stakeholders to weigh in on security threats from agentic AI warning they may be vulnerable to exploits like hijacking, backdoors and misaligned behavior across federal networks.

New CEO Jesper Zerlang Plans Global Growth, US Push and Vertical Expansion
Former Logpoint chief Jesper Zerlang, now CEO at SecurityBridge, says SAP security remains a weak link in enterprise risk strategies. As CEO of SecurityBridge, he’s launching a global expansion and leaning into the company's product differentiators to fill the gap.

Why Identity Life Cycles, Visibility and Privilege Are Falling Out of Sync
Modern enterprises are struggling to maintain control over identity management. While authentication still works, a systemic drift in how identities are created and discarded is creating an expanded attack surface that adversaries are increasingly exploiting.

Hitachi Energy Security Head Joe Doetzl on Common Tools and Practices
While IT and OT environments were traditionally seen as two separate parts of the organization, security teams can use common tools and practices to protect both areas, said Joe Doetzl, head of cybersecurity at Hitachi Energy. The company designated a single leader for IT-OT environments years ago.

Mapping Platform Exposed Addresses and Medical Assistance Plans
The Illinois Department of Human Services is notifying more than 700,000 people of a breach involving "incorrect privacy settings" left in place for several years that exposed online data pertaining to Medicare, Medicaid and rehabilitation services recipients.

$740M SGNL Acquisition Boosts Dynamic Identity Enforcement for Humans and AI Agents
With the $740M acquisition of SGNL, CrowdStrike aims to deliver dynamic access control for human and nonhuman identities. The real-time enforcement layer expands CrowdStrike's identity capabilities amid a market shift toward zero standing privilege and agentic workforce security.

Also: Turning AI Data Into AI Defense, Autonomous Border Patrol Robots
In this week's panel, ISMG editors discussed how basic security failures are still opening the door to major breaches, how researchers are rethinking data protection in the age of artificial intelligence and the implications of robots with AI patrolling national borders.

Also, Sedgwick Confirms Breach, Romanian Power Firm Hit, D-Link Flaws Exploited
This week, Moody's said firewalls will be obsolete, Romanian critical infrastructure hacked, Sedgwick breach and a D-Link DSL flaw. Finland seized the Fitburg. Microsoft said Direct Send not to blame for Exchange phishing. Malicious Chrome extensions, European hotels targeted and health breaches.

Also, Sedgwick Confirms Breach, Romanian Power Firm Hit, D-Link Flaws Exploited
This week, Moody's said firewalls will be obsolete, Romanian critical infrastructure hacked, Sedgwick breach and a D-Link DSL flaw. Finland seized the Fitburg. Microsoft said Direct Send not to blame for Exchange phishing. Malicious Chrome extensions, European hotels targeted and health breaches.

OpenAI: Tool Will 'Securely' Connect With Medical Records, But How Will That Work?
OpenAI is rolling out a new version of ChatGPT dedicated to health that the company said will also "securely" connect users' medical records and wellness apps to better personalize responses. OpenAI says more than 230 million people each week ask ChatGPT wellness and health related questions.

CISA Warns of Retaliatory Cyber Action From Hostile State Actors After Venezuela
Federal cybersecurity officials are warning of a likely uptick in retaliatory cyber activity from China and Russia-linked threat actors after the U.S. military raid in Venezuela, urging infrastructure operators to brace for disruptive probing and attacks.

Blackstone-Led Funding Round Expands R&D and Partnerships to Address AI Threats
With AI adoption outpacing security readiness, Cyera secured $400 million at a $9 billion valuation to protect data in an agentic AI landscape. The company plans to expand engineering efforts and partner with tech giants to create a control plane for enterprise AI use.

Targeted Threat Intel Firm Shares Details With Police After Honeypot Hit
Getting owned by deception technology isn't good news for one's criminal brand or ability to remain at large. Just ask the band of young hackers behind "Scattered Lapsus$ Shiny Hunters," when one of their ilk fell into a security firm's honeytrap, revealing his actual IP address in the process.

Congress Holds Cyber Funding at 2024 Levels Across Key Civilian Agencies
The fiscal year 2026 budget deal largely locks in federal cybersecurity funding at 2024 levels, stalling growth across key civilian agencies even as lawmakers call for global technology leadership as the U.S. government faces mounting nation-state cyber threats.

Patent Board Decision Invalidating 3 Orca Patents Weakens Case, Leads to Dismissal
After 30 months of legal sparring, Wiz and Orca Security have agreed to dismiss all claims in their cloud security patent dispute. The end of the case comes after a significant setback for Orca: A federal board invalidated three of its asserted patents.

2023 Incident Affected More Than 650,000 Patients, Employees
An upstate New York orthopedic practice has agreed to pay state regulators a $500,000 settlement and implement stronger security practices following a 2023 hack involving the theft of 650,000 individuals' sensitive information. Cybercrime group INC Ransom reportedly claimed credit for the incident.