The Pierce County Library System cyberattack has exposed the personal information of more than 340,000 individuals following a cybersecurity incident discovered in April 2025. The public library system, which operates 19 locations and serves nearly one million residents outside Seattle, confirmed that unauthorized show more ...
access to its network resulted in sensitive data being copied and taken. According to breach notification letters published this week on the Pierce County Library System (PCLS) website and filed with regulators in multiple states, the incident occurred between April 15 and April 21, 2025. PCLS detected the breach on April 21 and immediately shut down its systems to contain the attack and begin an investigation. Unauthorized Network Access and Data Exposure The investigation revealed that attackers gained access to PCLS systems for nearly a week and exfiltrated files containing personal information. By May 12, the organization confirmed that hackers had stolen data belonging to both library patrons and current or former employees. For library patrons, the exposed data included names and dates of birth. For employees and their family members, the compromised information was significantly more sensitive. Impacted data may include Social Security numbers, financial account details, driver’s license numbers, credit card information, passport numbers, health insurance records, medical information, and dates of birth. PCLS stated that it is not currently aware of any misuse of the stolen data. However, the organization acknowledged the seriousness of the breach and emphasized that it takes the confidentiality and privacy of personal information in its care very seriously. Ransomware Gang Claims Responsibility of Pierce County Library System cyberattack The Pierce County Library System cyberattack was claimed in May by the INC ransomware gang, a cybercriminal group that has carried out multiple high-profile attacks against government and public-sector organizations in 2025. The group has previously targeted systems such as the Pennsylvania Office of the Attorney General and an emergency warning service used by municipalities across the United States. While PCLS has not publicly confirmed whether a ransom demand was made or paid, public library systems have increasingly become targets for ransomware attacks on public libraries. Cybercriminal groups often assume that governments will pay to quickly restore access to essential public services. History of Cyber Incidents in Pierce County This is not the first cybersecurity incident to impact Pierce County. In 2023, a ransomware attack disrupted the county’s public bus service, affecting systems used by approximately 18,000 riders daily. The recurring nature of such incidents highlights ongoing challenges faced by local governments in defending critical public infrastructure. Globally, library systems have experienced a rise in cyberattacks in recent years. High-profile incidents, including the British Library cyberattack, along with multiple attacks across Canada and the United States, have caused prolonged outages and service disruptions. Steps for Impacted Individuals PCLS is urging affected individuals to remain vigilant against identity theft and fraud. The organization recommends regularly reviewing bank and credit card statements and monitoring credit reports for suspicious activity. Under U.S. law, consumers are entitled to one free credit report annually from each of the three major credit bureaus, Equifax, Experian, and TransUnion. Individuals may also place fraud alerts or credit freezes on their credit files at no cost to help prevent unauthorized accounts from being opened in their name. PCLS has provided a dedicated call center for questions related to the incident. As cyberattack on the Pierce County Library System continue to expand digital offerings, cybersecurity remains a critical challenge requiring sustained investment and vigilance.
Japan is set to hold its first public-private sector tabletop exercise to prepare for large-scale cyberattacks, particularly targeting critical infrastructure. The drill, scheduled for December 18th, will involve the central government, the Tokyo metropolitan government, and major infrastructure operators across the show more ...
capital region. The exercise comes during multiple cyberattacks in Japan, which have increasingly targeted sectors essential to daily life and economic activity. By simulating infrastructure disruptions, officials aim to identify vulnerabilities and establish a coordinated public-private response framework. The exercise is designed around a scenario in which a sudden, large-scale power outage of unknown origin hits the Tokyo metropolitan area. Participants will simulate cascading disruptions affecting water supply, telecommunications, internet services, traffic networks, and railway operations. The goal is to replicate the chain reactions that could occur if Japan's cyberattacks multiple systems simultaneously. If power outages are prolonged, healthcare facilities could face urgent challenges, including the care of patients dependent on ventilators or dialysis machines. Similarly, persistent traffic congestion could delay fuel deliveries, including gasoline and diesel, with serious repercussions for everyday life and commercial activity. Collaboration Between Public and Private Sectors The cybersecurity drill will involve key infrastructure sectors in Tokyo, including electricity, gas, telecommunications, healthcare, and finance. The National Security Secretariat and the Tokyo metropolitan government are leading the exercise, with participation from major private-sector operators. Officials hope the exercise will clarify existing coordination challenges and strengthen preparedness for real-world incidents. By conducting its first public-private cyber drill, Japan seeks not only to test operational readiness but also to reinforce collaboration between government agencies and private infrastructure operators. The simulation emphasizes the need for real-time communication, rapid decision-making, and coordinated measures to mitigate the impact of cyber incidents. Strengthening Japan’s Cyber Resilience This marks an important step in Japan’s response to cyberattacks, particularly as the country has faced a series of incidents targeting critical infrastructure in recent years. Experts note that Japan, with its highly interconnected urban infrastructure, is particularly vulnerable to cyberattacks that can trigger cascading failures. Disruptions in one sector, such as electricity, can quickly affect water distribution, transportation networks, healthcare facilities, and financial services. The Tokyo metropolitan area, as the nation’s economic and political center, is especially critical in this context. As Japan faces new cyber threats from highly skilled cyber actors, exercises such as this one in Tokyo are expected to become a regular component of national cybersecurity strategy. Officials believe that repeated drills will help identify gaps, improve response protocols, and enhance resilience against future cyberattacks on Japan’s essential infrastructure.
The FBI Anchorage Field Office has issued a public warning after seeing a sharp increase in fraud cases targeting residents across Alaska. According to federal authorities, scammers are posing as law enforcement officers and government officials in an effort to extort money or steal sensitive personal information from show more ...
unsuspecting victims. The warning comes as reports continue to rise involving unsolicited phone calls where criminals falsely claim to represent agencies such as the FBI or other local, state, and federal law enforcement bodies operating in Alaska. These scams fall under a broader category of law enforcement impersonation scams, which rely heavily on fear, urgency, and deception. How the Phone Scam Works Scammers typically contact victims using spoofed phone numbers that appear legitimate. In many cases, callers accuse individuals of failing to report for jury duty or missing a court appearance. Victims are then told that an arrest warrant has been issued in their name. To avoid immediate arrest or legal consequences, the caller demands payment of a supposed fine. Victims are pressured to act quickly, often being told they must resolve the issue immediately. According to the FBI, these criminals may also provide fake court documents or reference personal details about the victim to make the scam appear more convincing. In more advanced cases, scammers may use artificial intelligence tools to enhance their impersonation tactics. This includes generating realistic voices or presenting professionally formatted documents that appear to come from official government sources. These methods have contributed to the growing sophistication of government impersonation scams nationwide. Common Tactics Used by Scammers Authorities note that these scams most often occur through phone calls and emails. Criminals commonly use aggressive language and insist on speaking only with the targeted individual. Victims are often told not to discuss the call with family members, friends, banks, or law enforcement agencies. Payment requests are another key red flag. Scammers typically demand money through methods that are difficult to trace or reverse. These include cash deposits at cryptocurrency ATMs, prepaid gift cards, wire transfers, or direct cryptocurrency payments. The FBI has emphasized that legitimate government agencies never request payment through these channels. FBI Clarifies What Law Enforcement Will Not Do The FBI has reiterated that it does not call members of the public to demand payment or threaten arrest over the phone. Any call claiming otherwise should be treated as fraudulent. This clarification is a central part of the FBI’s broader FBI scam warning Alaska residents are being urged to take seriously. Impact of Government Impersonation Scams Data from the FBI’s Internet Crime Complaint Center (IC3) highlights the scale of the problem. In 2024 alone, IC3 received more than 17,000 complaints related to government impersonation scams across the United States. Reported losses from these incidents exceeded $405 million nationwide. Alaska has not been immune. Reported victim losses in the state surpassed $1.3 million, underscoring the financial and emotional impact these scams can have on individuals and families. How Alaskans Can Protect Themselves To reduce the risk of falling victim, the FBI urges residents to “take a beat” before responding to any unsolicited communication. Individuals should resist pressure tactics and take time to verify claims independently. The FBI strongly advises against sharing or confirming personally identifiable information with anyone contacted unexpectedly. Alaskans are also cautioned never to send money, gift cards, cryptocurrency, or other assets in response to unsolicited demands. What to Do If You Are Targeted Anyone who believes they may have been targeted or victimized should immediately stop communicating with the scammer. Victims should notify their financial institutions, secure their accounts, contact local law enforcement, and file a complaint with the FBI’s Internet Crime Complaint Center at www.ic3.gov. Prompt reporting can help limit losses and prevent others from being targeted.
Shashank Bajpai, CISO & CTSO at Yotta 2026 is the execution year for India’s Digital Personal Data Protection (DPDP) regime , the Rules were notified in November 2025 and the government has signalled a phased enforcement timeline. The law is consent-centric, imposes heavy penalties (up to ₹250 crore for the show more ...
most serious security failures), creates a new institutional stack (Data Protection Board, Consent Managers), and elevates privacy to boardroom priority. Organizations that treat compliance as a strategic investment, not a cost centre, will gain trust, operational resilience, and competitive advantage. Key themes for 2026: consent at scale, data minimization, hardened security, vendor accountability, and new dependency risks arising from Consent Manager infrastructure. Why 2026 Matters The DPDP Act (2023) becomes operational through Rules notified in November 2025; the result is a staggered compliance timetable that places 2026 squarely in the execution phase. That makes 2026 the inflection year when planning becomes measurable operational work and when regulators will expect visible progress. The practical effect is immediate: companies must move from policy documents to implemented consent systems, security controls, breach workflows, and vendor governance. The High-Impact Obligations Explicit consent architecture: Consent must be free, specific, informed and obtained by clear affirmative action. Systems must record, revoke and propagate consent signals reliably. Data minimization & purpose limitation: Collect only what’s necessary and purge data when the purpose is fulfilled. Reasonable security safeguards: Highest penalty bracket (up to ₹250 crore) for failures to implement required security measures. Encryption, tokenization, RBAC, monitoring and secure third-party contracts are expected. Breach notification: Obligatory notification to the Data Protection Board and affected principals, with tight timelines (public guidance references 72-hour reporting windows for board notification). Data subject rights: Access, correction, erasure, withdrawal of consent and grievance mechanisms must be operational and auditable. Children’s data: Verifiable parental consent and prohibitions on behavioural profiling/targeted advertising toward minors; failures risk very high penalties. Consent Managers: New regulated intermediaries where individuals may centrally manage consent; only India-incorporated entities meeting financial/operational thresholds (minimum net worth indicated in Rules) can register. This constructs a new privacy infrastructure and a new dependency vector for data fiduciaries. Implementation Challenges & Strategic Opportunities 1. Key Implementation Challenges Challenge Area What Will Break / Strain in 2026 Why It Matters to Leadership Strategic Imperative Regulatory Ambiguity & Evolving Interpretation Unclear operational expectations around “informed consent,” Significant Data Fiduciary designation, and cross-border data transfers Risk of over-engineering or non-compliance as regulatory guidance evolves Build modular, configurable privacy architectures that can adapt without re-platforming Legacy Systems & Distributed Data Difficulty retrofitting consent enforcement, encryption, audit trails, and real-time controls into legacy and batch-oriented systems High cost, operational disruption, and extended timelines for compliance Prioritize modernization of high-risk systems and align vendor roadmaps with DPDP requirements Organizational Governance & Talent Gaps Privacy cuts across legal, product, engineering, HR, procurement—often without clear ownership; shortage of experienced DPOs Fragmented accountability increases regulatory and breach risk Establish cross-functional privacy governance; leverage fractional DPOs and external advisors while building internal capability Children’s Data & Onboarding Friction Age verification and parental consent slow user onboarding and impact conversion metrics Direct revenue and growth impact if UX is not carefully redesigned Re-engineer onboarding flows to balance compliance with user experience, especially in consumer platforms Consent Manager Dependency & Systemic Risk Outages or breaches at registered Consent Managers can affect multiple data fiduciaries simultaneously Creates concentration and third-party systemic risk Design fallback mechanisms, redundancy plans, and enforce strong SLAs and audit rights 2. Strategic Opportunities: Turning Compliance into Advantage Opportunity Area Business Value Strategic Outcome Trust as a Market Differentiator Privacy becomes a competitive trust signal, particularly in fintech, healthtech, and BFSI ecosystems. Strong DPDP compliance enhances brand equity, customer loyalty, partner confidence, and investor perception. Operational Efficiency & Risk Reduction Data minimization, encryption, and segmentation reduce storage costs and limit breach blast radius. Privacy investments double as technical debt reduction with measurable ROI and lower incident recovery costs. Global Market Access Alignment with global privacy principles simplifies cross-border expansion and compliance-sensitive partnerships. Faster deal closures, reduced due diligence friction, and improved access to regulated international markets. Domestic Privacy & RegTech Ecosystem Growth Demand for Consent Managers, RegTech, and privacy engineering solutions creates a new domestic market. Strategic opportunity for Indian vendors to lead in privacy infrastructure and export DPDP-aligned solutions globally. DPDP Readiness Roadmap for 2026 Time Horizon Key Actions Primary Owners Strategic Outcome Immediate (0–3 Months) • Establish Board-level Privacy Steering Committee •Appoint or contract a Data Protection Officer (DPO) • Conduct rapid enterprise data mapping (repositories, processors, high-risk data flows) • Triage high-risk systems for encryption, access controls, and logging • Update breach response runbooks to meet Board and individual notification timelines Board, CEO, CISO, Legal, Compliance Executive accountability for privacy; clear visibility of data risk exposure; regulatory-ready breach response posture Short Term (3–9 Months) • Deploy consent management platform interoperable with upcoming Consent Managers • Standardize DPDP-compliant vendor contracts and initiate bulk vendor renegotiation/audits • Automate data principal request handling (identity verification, APIs, evidence trails) CISO, CTO, Legal, Procurement, Product Operational DPDP compliance at scale; reduced manual handling risk; strengthened third-party governance Medium Term (9–18 Months) • Implement data minimization and archival policies focused on high-sensitivity datasets • Embed Privacy Impact Assessments (PIAs) into product development (“privacy by design”) • Stress-test reliance on Consent Managers and negotiate resilience SLAs and contingency plans Product, Engineering, CISO, Risk, Procurement Sustainable compliance architecture; reduced long-term data liability; privacy-integrated product innovation Ongoing (Board Dashboard Metrics) • Consent fulfillment latency & revocation success rate • Mean time to detect and notify data breaches (aligned to regulatory windows) • % of sensitive data encrypted at rest and in transit • Vendor compliance score and DPA coverage Board, CISO, Risk & Compliance Continuous assurance, measurable compliance maturity, and defensible regulatory posture Board-Level Takeaway DPDP compliance in 2026 is not a one-time legal exercise, it is an operating model change. Organizations that treat privacy as a board-governed, product-integrated, and metrics-driven discipline will outperform peers on regulatory trust, customer confidence, and incident resilience. The Macro View: Data Sovereignty & Trust Infrastructure The Rules reinforce India’s intention to control flows of citizen data while creating domestic privacy infrastructure (DPB + Consent Managers + data auditors). This is not just regulation; it is an economic strategy to build domestic capability in cloud, identity, security and RegTech, and to position India as a credible participant in global data governance conversations. Act Strategically, Not Reactively DPDP is a structural shift: it will change products, engineering practices, contracts, and customer expectations. 2026 will reveal winners and laggards. Those that embrace privacy as a governance discipline and a product differentiator will realize measurable advantages in trust, operational resilience, and market value. The alternative, waiting until enforcement escalates, risks fines, reputational harm and erosion of customer trust. (This article reflects the author’s analysis and personal viewpoints and is intended for informational purposes only. It should not be construed as legal or regulatory advice.)
Asahi Group Holdings Ltd. is weighing the creation of a dedicated cybersecurity unit as it continues to deal with the prolonged impact of a ransomware incident that struck the company in late September. The Asahi cyberattack disrupted core operations, delayed financial reporting, and exposed vulnerabilities in both show more ...
the company’s internal systems and Japan’s broader corporate cyber defenses. The cyberattack on Asahi occurred on September 29, when a system disruption was detected at approximately 7:00 a.m. Japan Standard Time. Subsequent investigations confirmed that files within the company’s network had been encrypted by ransomware. By around 11:00 a.m. the same day, Asahi disconnected its network and isolated its data center in an effort to contain the damage. According to Asahi Group Holdings, the attacker gained unauthorized access through network equipment located at a Group facility. Ransomware was deployed simultaneously across multiple active servers, and some employee PC devices connected to the network. While the impact has been limited to systems managed in Japan, the disruption has been extensive. Shift Toward Zero-Trust Security Model Chief Executive Officer Atsushi Katsuki said the incident has prompted a fundamental reassessment of how information security is handled at the management level. As part of its recovery, Asahi Group Holdings has scrapped the use of virtual private networks and is adopting a stricter “zero-trust” model, which assumes no user or device inside the network can be automatically trusted. “Information security is a management issue that should be given the highest priority,” Katsuki said. “We thought we had taken sufficient measures, which were easily broken. It made me realize there’s no limit to the precautions that can be taken.” The Asahi cyberattack froze key business systems in Japan, forcing the company to shift order processing and shipments offline. The disruption hit at a critical time, delaying deliveries of year-end gift sets, a seasonal mainstay for the Japanese beverage market. As a result, November sales of beer and other alcoholic beverages fell by more than 20% compared with the same period a year earlier. Operational and Financial Fallout Continues Operational disruptions have gradually eased, but the effects on financial reporting remain significant. Asahi Group Holdings now expects its annual earnings disclosure to be delayed by more than 50 days. While partial third-quarter figures were released in November, Katsuki declined to set a new date for the full earnings announcement. Before the cyberattack on Asahi, the company had forecast that operating profit for the year ending in December would decline 5.2% to ¥255 billion ($1.6 billion), on sales of ¥2.95 trillion. Once reporting resumes, Asahi plans to outline its growth strategy, with a particular focus on non-alcoholic and low-alcohol beverages, along with its investment plans. Despite the setback, Katsuki said the breach does not threaten Asahi’s long-term foundation and expressed confidence that lost market share can be recovered. He expects most systems to be restored by February, with shelf space recovery and full competitive positioning returning from March. Data Exposure, Recovery Efforts, and Broader Implications In parallel with restoring operations, Asahi Group Holdings has been conducting a detailed forensic investigation in collaboration with external cybersecurity experts. In a statement released on November 27, 2025, the company disclosed that some data from company-issued PCs had been exposed and that personal information stored on servers may also have been affected. As of that date, there was no confirmation that server-based personal data had been published on the internet. The investigation identified the following categories of personal information that have been or may have been exposed: data belonging to approximately 1.525 million individuals who contacted customer service centers of Asahi Breweries, Asahi Soft Drinks, and Asahi Group Foods; information related to 114,000 external contacts who received congratulatory or condolence telegrams; personal details of 107,000 employees and retirees; and information concerning 168,000 family members of employees and retirees. Asahi confirmed that no credit card information was included. On November 26, Asahi submitted a final report to Japan’s Personal Information Protection Commission and stated that affected individuals will be notified in due course. A dedicated inquiry hotline was established to respond to questions related to personal data exposure. System restoration efforts have taken roughly two months and have included containment of ransomware, integrity checks, and enhanced security measures. Asahi said systems and devices confirmed to be secure will be restored in phases, with ongoing monitoring to prevent recurrence. Preventive measures include redesigned network controls, stricter connection restrictions, enhanced threat detection, updated backup strategies, revised business continuity plans, and expanded employee training and external audits.
Attackers often go after outdated and unused test accounts, or stumble upon publicly accessible cloud storage containing critical data that’s a bit dusty. Sometimes an attack exploits a vulnerability in an app component that was actually patched, say, two years ago. As you read these breach reports, a common theme show more ...
emerges: the attacks leveraged something outdated: a service, a server, a user account… Pieces of corporate IT infrastructure that sometimes fall off the radar of IT and security teams. They become, in essence, unmanaged, useless, and simply forgotten. These IT zombies create risks for information security, regulatory compliance, and lead to unnecessary operational costs. This is generally an element of shadow IT — with one key difference: nobody wants, knows about, or benefits from these assets. In this post, we try to identify which assets demand immediate attention, how to identify them, and what a response should look like. Physical and virtual servers Priority: high. Vulnerable servers are entry points for cyberattacks, and they continue consuming resources while creating regulatory compliance risks. Prevalence: high. Physical and virtual servers are commonly orphaned in large infrastructures following migration projects, or after mergers and acquisitions. Test servers no longer used after IT projects go live, as well as web servers for outdated projects running without a domain, are also frequently forgotten. The scale of the problem is illustrated by Lets Encrypt statistics: in 2024, half of domain renewal requests came from devices no longer associated with the requested domain. And there are roughly a million of these devices in the world. Detection: the IT department needs to implement an Automated Discovery and Reconciliation (AD&R) process that combines the results of network scanning and cloud inventory with data from the Configuration Management Database (CMDB). It enables the timely identification of outdated or conflicting information about IT assets, and helps locate the forgotten assets themselves. This data should be supplemented by external vulnerability scans that cover all of the organization’s public IPs. Response: establish a formal, documented process for decommissioning/retiring servers. This process needs to include verification of complete data migration, and verified subsequent destruction of data on the server. Following these steps, the server can be powered down, recycled, or repurposed. Until all procedures are complete, the server needs to be moved to a quarantined, isolated subnet. To mitigate this issue for test environments, implement an automated process for their creation and decommission. A test environment should be created at the start of a project, and dismantled after a set period or following a certain duration of inactivity. Strengthen the security of test environments by enforcing their strict isolation from the primary (production) environment, and by prohibiting the use of real, non-anonymized business data in testing. Forgotten user, service, and device accounts Priority: critical. Inactive and privileged accounts are prime targets for attackers seeking to establish network persistence or expand their access within the infrastructure. Prevalence: very high. Technical service accounts, contractor accounts, and non-personalized accounts are among the most commonly forgotten. Detection: conduct regular analysis of the user directory (Active Directory in most organizations) to identify all types of accounts that have seen no activity over a defined period (a month, quarter, or year). Concurrently, it’s advisable to review the permissions assigned to each account, and remove any that are excessive or unnecessary. Response: after checking with the relevant service owner on the business side or employee supervisor, outdated accounts should be simply deactivated or deleted. A comprehensive Identity and Access Management system (IAM) offers a scalable solution to this problem. In this system, the creation, deletion, and permission assignment for accounts are tightly integrated with HR processes. For service accounts, it’s also essential to routinely review both the strength of passwords, and the expiration dates for access tokens — rotating them as necessary. Forgotten data stores Priority: critical. Poorly controlled data in externally accessible databases, cloud storage and recycle bins, and corporate file-sharing services — even “secure” ones — has been a key source of major breaches in 2024–2025. The data exposed in these leaks often includes document scans, medical records, and personal information. Consequently, these security incidents also lead to penalties for non-compliance with regulations such as HIPAA, GDPR, and other data-protection frameworks governing the handling of personal and confidential data. Prevalence: high. Archive data, data copies held by contractors, legacy database versions from previous system migrations — all of these often remain unaccounted for and accessible for years (even decades) in many organizations. Detection: given the vast variety of data types and storage methods, a combination of tools is essential for discovery: Native audit subsystems within major vendor platforms, such as AWS Macie, and Microsoft Purview Specialized Data Discovery and Data Security Posture Management solutions Automated analysis of inventory logs, such as S3 Inventory Unfortunately, these tools are of limited use if a contractor creates a data store within its own infrastructure. Controlling that situation requires contractual stipulations granting the organization’s security team access to the relevant contractor storage, supplemented by threat intelligence services capable of detecting any publicly exposed or stolen datasets associated with the company’s brand. Response: analyze access logs and integrate the discovered storage into your DLP and CASB tools to monitor its usage — or to confirm it’s truly abandoned. Use available tools to securely isolate access to the storage. If necessary, create a secure backup, then delete the data. At the organizational policy level, it’s crucial to establish retention periods for different data types, mandating their automatic archiving and deletion upon expiry. Policies must also define procedures for registering new storage systems, and explicitly prohibit the existence of ownerless data that’s accessible without restrictions, passwords, or encryption. Unused applications and services on servers Priority: medium. Vulnerabilities in these services increase the risk of successful cyberattacks, complicate patching efforts, and waste resources. Prevalence: very high. services are often enabled by default during server installation, remain after testing and configuration work, and continue to run long after the business process they supported has become obsolete. Detection: through regular audits of software configurations. For effective auditing, servers should adhere to a role-based access model, with each server role having a corresponding list of required software. In addition to the CMDB, a broad spectrum of tools helps with this audit: tools like OpenSCAP and Lynis — focused on policy compliance and system hardening; multi-purpose tools like OSQuery; vulnerability scanners such as OpenVAS; and network traffic analyzers. Response: conduct a scheduled review of server functions with their business owners. Any unnecessary applications or services found running should be disabled. To minimize such occurrences, implement the principle of least privilege organization-wide and deploy hardened base images or server templates for standard server builds. This ensures no superfluous software is installed or enabled by default. Outdated APIs Priority: high. APIs are frequently exploited by attackers to exfiltrate large volumes of sensitive data, and to gain initial access into the organization. In 2024, the number of API-related attacks increased by 41%, with attackers specifically targeting outdated APIs, as these often provide data with fewer checks and restrictions. This was exemplified by the leak of 200 million records from X/Twitter. Prevalence: high. When a service transitions to a new API version, the old one often remains operational for an extended period, particularly if it’s still used by customers or partners. These deprecated versions are typically no longer maintained, so security flaws and vulnerabilities in their components go unpatched. Detection: at the WAF or NGFW level, it’s essential to monitor traffic to specific APIs. This helps detect anomalies that may indicate exploitation or data exfiltration, and also identify APIs that get minimal traffic. Response: for the identified low-activity APIs, collaborate with business stakeholders to develop a decommissioning plan, and migrate any remaining users to newer versions. For organizations with a large pool of services, this challenge is best addressed with an API management platform in conjunction with a formally approved API lifecycle policy. This policy should include well-defined criteria for deprecating and retiring outdated software interfaces. Software with outdated dependencies and libraries Priority: high. This is where large-scale, critical vulnerabilities like Log4Shell hide, leading to organizational compromise and regulatory compliance issues. Prevalence: Very high, especially in large-scale enterprise management systems, industrial automation systems, and custom-built software. Detection: use a combination of vulnerability management (VM/CTEM) systems and software composition analysis (SCA) tools. For in-house development, it’s mandatory to use scanners and comprehensive security systems integrated into the CI/CD pipeline to prevent software from being built with outdated components. Response: company policies must require IT and development teams to systematically update software dependencies. When building internal software, dependency analysis should be part of the code review process. For third-party software, it’s crucial to regularly audit the status and age of dependencies. For external software vendors, updating dependencies should be a contractual requirement affecting support timelines and project budgets. To make these requirements feasible, it’s essential to maintain an up-to-date software bill of materials (SBOM). You can read more about timely and effective vulnerability remediation in a separate blog post. Forgotten websites Priority: medium. Forgotten web assets can be exploited by attackers for phishing, hosting malware, or running scams under the organization’s brand, damaging its reputation. In more serious cases, they can lead to data breaches, or serve as a launchpad for attacks against the given company. A specific subset of this problem involves forgotten domains that were used for one-time activities, expired, and weren’t renewed — making them available for purchase by anyone. Prevalence: high — especially for sites launched for short-term campaigns or one-off internal activities. Detection: the IT department must maintain a central registry of all public websites and domains, and verify the status of each with its owners on a monthly or quarterly basis. Additionally, scanners or DNS monitoring can be utilized to track domains associated with the company’s IT infrastructure. Another layer of protection is provided by threat intelligence services, which can independently detect any websites associated with the organization’s brand. Response: establish a policy for scheduled website shutdown after a fixed period following the end of its active use. Implement an automated DNS registration and renewal system to prevent the loss of control over the company’s domains. Unused network devices Priority: high. Routers, firewalls, surveillance cameras, and network storage devices that are connected but left unmanaged and unpatched make for the perfect attack launchpad. These forgotten devices often harbor vulnerabilities, and almost never have proper monitoring — no EDR or SIEM integration — yet they hold a privileged position in the network, giving hackers an easy gateway to escalate attacks on servers and workstations. Prevalence: medium. Devices get left behind during office moves, network infrastructure upgrades, or temporary workspace setups. Detection: use the same network inventory tools mentioned in the forgotten servers section, as well as regular physical audits to compare network scans against what’s actually plugged in. Active network scanning can uncover entire untracked network segments and unexpected external connections. Response: ownerless devices can usually be pulled offline immediately. But beware: cleaning them up requires the same care as scrubbing servers — to prevent leaks of network settings, passwords, office video footage, and so on.
Managing general agents help insurers navigate sectors where they lack expertise. A cybersecurity policy written by an MGA is more likely to reflect an understanding of the risks CISOs deal with.
Etay Mayor, a cybersecurity strategist and professor, shares his journey, insights, and advice on breaking into the diverse and ever-evolving field of cybersecurity.
In her first public speech, the new chief of Britain's MI6, Blaise Metreweli, will point to the acute threat posed by Russia, according to pre-released excerpts.
Fintech company Prosper Marketplace and car dealership services provider 700Credit are the latest financial institutions to report data breaches affecting millions of Americans.
Data "related to current and former JLR employees, and contractors" was affected by a cyberattack in August, the car maker said in a statement representing the first time it has provided details about the incident.
Texas' attorney general, who is suing under the Texas Deceptive Trade Practices Act, says ACR technology violates Texas law because of how it collects consumer data without the user’s knowledge or consent.
The pro-Russian hacktivist group known as CyberVolk (aka GLORIAMIST) has resurfaced with a new ransomware-as-a-service (RaaS) offering called VolkLocker that suffers from implementation lapses in test artifacts, allowing users to decrypt files without paying an extortion fee. According to SentinelOne, VolkLocker (aka CyberVolk 2.x) emerged in August 2025 and is capable of targeting both Windows
Cybersecurity researchers have disclosed details of an active phishing campaign that's targeting a wide range of sectors in Russia with phishing emails that deliver Phantom Stealer via malicious ISO optical disc images. The activity, codenamed Operation MoneyMount-ISO by Seqrite Labs, has primarily singled out finance and accounting entities, with those in the procurement, legal, payroll
Multiple security vulnerabilities have been disclosed in the open-source private branch exchange (PBX) platform FreePBX, including a critical flaw that could result in an authentication bypass under certain configurations. The shortcomings, discovered by Horizon3.ai and reported to the project maintainers on September 15, 2025, are listed below - CVE-2025-61675 (CVSS score: 8.6) - Numerous
If you use a smartphone, browse the web, or unzip files on your computer, you are in the crosshairs this week. Hackers are currently exploiting critical flaws in the daily software we all rely on—and in some cases, they started attacking before a fix was even ready. Below, we list the urgent updates you need to install right now to stop these active threats. ⚡ Threat of the Week Apple and
In early December 2025, security researchers exposed a cybercrime campaign that had quietly hijacked popular Chrome and Edge browser extensions on a massive scale. A threat group dubbed ShadyPanda spent seven years playing the long game, publishing or acquiring harmless extensions, letting them run clean for years to build trust and gain millions of installs, then suddenly flipping them into
A Google Chrome extension with a "Featured" badge and six million users has been observed silently gathering every prompt entered by users into artificial intelligence (AI)-powered chatbots like OpenAI ChatGPT, Anthropic Claude, Microsoft Copilot, DeepSeek, Google Gemini, xAI Grok, Meta AI, and Perplexity. The extension in question is Urban VPN Proxy, which has a 4.7 rating on the Google Chrome
A 49-year-old man has received a five-and-a-half year jail sentence after admitting to creating detailed video tutorials that showed members of a criminal gang how to infect Android phones with spyware and drain their bank accounts. Read more in my article on the Hot for Security blog.
