DataBreachToday.com

Hacking Was the Easy Part, Notifying McDonald's the Extremely Difficult Bit
A security researcher gained access to McDonald's global marketing portal by changing a single word in its URL, uncovering a slew of additional vulnerabilities. The hard part was notifying the burger giant about the flaws, says self-described ethical hacker "BobDaHacker."

Inotiv Inc. Tells SEC Some Business Operations Disrupted, No Recovery Date in Sight
Inotiv, a drug research and development firm, told federal regulators that it's been dealing with a cyberattack since Aug. 8 that has encrypted some IT systems and data, and is disrupting certain business operations. Ransomware gang Qilin has listed the company as a victim on its dark website.

Claude Models May Shut Down Harmful Chats in Some Edge Cases
Anthropic introduced a safeguard to its Claude artificial intelligence platform that allows certain models to end conversations in cases of persistently harmful or abusive interactions. The company said it's doing so not to protect human users, but as a way to mitigate risks to the models.

Successful Breaches Renew Fears of Operational Vulnerabilities Across Water Sector
Russia is suspected of escalating cyberattacks on European water utilities, including attempts to sabotage Polish and Norwegian water facilities and dams, signaling a broader threat to global critical infrastructure as state-backed actors exploit critical OT weaknesses amid global conflict.

Practical Guide to Architect, Govern, Scale AI Agents for Enterprise Transformation
Part 1 of this two-part feature on agentic AI covered how the autonomous systems shift enterprises from reactive generative AI to autonomous, accountable systems. Part 2 provides a practical blueprint for architecting, governing and scaling agentic AI to deliver enterprisewide transformation.

22-Year-Old Oregon Man Charged With Selling DDoS Attacks Using Mirai Variant
Federal prosecutors have charged Oregon man Ethan Foltz, 22, with administering an on-demand service for disrupting websites called "Rapper Bot." Resulting distributed-denial-of-service attacks disrupted DeepSeek and X, as well as the U.S. Department of Defense, which is leading the investigation.

Tulsi Gabbard Takes Credit After Apparent British Reversal of Backdoor Request
U.S. Director of National Intelligence Tulsi Gabbard announced the United Kingdom has apparently reversed course on a demand for Apple to provide the government with a backdoor into its advanced iCloud encrypted protections following growing criticism from U.S. lawmakers and privacy advocates.

How Autonomous AI Systems Are Moving Beyond Hype and Why CIOs Can't Ignore Them
Agentic AI is moving from concept to capability, bridging the gap between reactive tools and enterprise-scale autonomy. With the stack maturing fast, CIOs face a choice: lead the shift or risk being left behind.

Maximum Validity of Public TLS Certificates Will Drop From 398 Days to Just 47 Days
The future of managing digital certificates is already here - it's just not evenly distributed yet. With the public TLS certificate validity period set to drop to just 47 days, as well as the need to migrate to quantum-safe encryption, experts see automation as key to achieving crypto agility.

Common Weaknesses Healthcare Providers Must Overcome to Avoid Regulators' Wrath
Regulators have long pushed HIPAA-regulated providers to ensure their enterprise-wide security risk analysis is comprehensive and timely, so they can identify security issues before they become data breaches. Why do so many organizations struggle with this top HIPAA priority?

CEO Matthew Prince: Unchecked Scraping Could Undermine the Internet's Economic Model
With 20% of the web behind its platform, Cloudflare will now block AI web crawlers from scraping monetized content by default. CEO Matthew Prince says the company's policy gives all users, even on the free plan, control over AI bot access and protects the incentives for content creation.

Healthplex, Part of UnitedHealth Group, Lacked MFA on Compromised Email Account
New York State has fined a dental plan administrator owned by UnitedHealth Group $2 million for failing to protect data with multifactor authentication and other issues related to a phishing breach that affected 90,000 people. It's the state's second fine against Healthplex for the same breach.

Settlement Includes Corrective Action Plan Focused on Improving Risk Analysis
An investigation into a ransomware breach reported in 2020 as affecting the protected personal information of 170,000 people led to a $175,000 fine against a certified public accounting and consulting firm. Regulators also required the company to implement a corrective action plan in the settlement.

Fraud Expert Trace Fooshee on Regulatory Steps Needed to Curb Payment Scams
While the U.K. and Australia have mobilized multiple sectors to tackle payment scams, the United States faces complex hurdles. The U.S. can't replicate other regulatory models but it can pursue targeted actions such as regulating scam-prone ad platforms and creating a central fraud-fighting agency.