Security

At least 20 Canadian government networks have been compromised by Chinese state-sponsored threat actors, who have maintained access over the past four years to steal valuable data. The Canadian Centre for Cyber Security (Cyber Centre) confirmed the compromises in its National Cyber Threat Assessment 2025-2026. The Cyber Centre noted that the threat actors targeted information

The US Cybersecurity and Infrastructure Security Agency (CISA) has published its first ever international strategic plan, designed to boost international cooperation in combatting cyber threats to critical infrastructure. The plan acknowledges the complex and geographically dispersed nature of cyber risks, and the need for threat information and risk reduction advice to be shared rapidly with

Meeting compliance requirements with the EU’s Network and Information Security (NIS)2 Directive has forced many organizations to divert funds from other areas of the business, according to research from Veeam. The cybersecurity firm found that 95% of applicable firms had done so to meet the new requirements. Over a third (34%) of these EMEA-based businesses

A team from Vietnam scooped the top prize at the very first Pwn2Own Ireland event on Friday, with over $1m in awards handed out by Trend Micro’s Zero Day Initiative (ZDI) for dozens of new discoveries. The popular hacking competition set up camp in Trend Micro’s Cork office for the first time last week, with

The Irish Data Protection Commission (DPC) has issued a €310m ($336m) fine to LinkedIn Ireland Unlimited Company over violation of the EU’s General Data Protection Regulation (GDPR) in relation to the firm’s advertising practices. This decision came after a complaint initially made in August 2018 by a French non-profit organization, La Quadrature Du Net, to

The Change Healthcare ransomware attack has impacted the personal information of 100 million US citizens, updated figures from the US Department of Health and Human Services (HHS) have revealed. The figure means the attack, which began in February 2024, is the largest known data breach of US healthcare records ever recorded. The HHS Office for

Ukrainian authorities have warned of a mass phishing attack aimed at stealing sensitive personal data of citizens. The attackers, tracked under the identifier UAC-0218, send phishing links purporting to be bills or payment details but actually leads to the download of data stealing malware. Once downloaded, this script searches the victim’s device for documents in

Fortinet has confirmed that a critical zero-day vulnerability affecting its FortiManager network management solution is being exploited in the wild. In an October 23 security advisory, the cybersecurity provider shared more information on CVE-2024-47575, a vulnerability allowing threat actors to use a compromised FortiManager device to execute arbitrary code or commands against other FortiManager devices.  This

Nearly 70% of business leaders believe their employees lack critical cybersecurity knowledge, a sharp increase from 56% in 2023.  The figure comes from Fortinet’s latest 2024 Security Awareness and Training Global Research Report, which also suggests that AI-driven cyber-attacks are becoming more difficult for employees to detect. Over 60% of respondents expect a rise in employees

Transak, a fiat-to-crypto payment gateway provider, has reported a security incident which has impacted 92,554 of its users. Attackers gained unauthorized access to one of the firm’s employee laptops through a sophisticated phishing attack. The firm said that the attacker used compromised credentials to log in to the system of a third-party KYC vendor that

Australian businesses now have a list of best practices to refer to when using commercial AI products. The Office of the Australian Information Commissioner (OAIC) published on October 21 guidance on the use of commercially available AI products. The document explains in detail organizations’ obligations when using personal information in the context of off-the-shelf AI

Microsoft has uncovered a macOS vulnerability that can enable attackers to gain access to users’ protected data, and warned active exploitation may be taking place. The flaw, dubbed “HM Surf,” allows attackers to bypass the operating system’s Transparency, Consent, and Control (TCC) technology to access sensitive user data, including browsed pages and the device’s camera,

Most of Internet Archive’s services have resumed after a series of distributed denial-of-service (DDoS) attacks took the world’s largest digital library’s website offline several times over the past few days. In a blog post published on October 18, the non-profit confirmed that many services are now up and running, including its Wayback Machine, Archive-It, scanning

Meta’s Instagram has announced new security measures to protect people on its platform from sextortion scams. Sextortion is a crime where scammers threated to expose intimate imagery of their victims if they do not comply with the criminal’s demands, typically financial payment. These features included hiding follower and following lists from potential sextortion scammers, preventing

North Korean threat actors have adopted new tactics to escalate fake IT worker insider attacks, including extorting their former employers, researchers from Secureworks have found. The cybersecurity firm said the development, attributed to the Nickel Tapestry threat group, marks a significant deviation from previously established tactics. In many earlier North Korea fake IT worker schemes,

Cyber-threats are escalating beyond the collective ability to defend against them, new UK National Cyber Security Centre (NCSC) head Dr Richard Horne has warned. In his first international speech at Singapore International Cyber Week, Horne said that increased dependence on technology is widening the gap between the escalating threats to societies, critical services, and businesses,

A new sophisticated malicious campaign is using an undetected Cerberus Android banking Trojan payload, according to cybersecurity provider Cyble. In a new report published on October 14, Cyble Research and Intelligence Labs (CRIL) identified 15 malicious samples posing as Chrome and Play Store apps from mid-September through the end of October. These samples use a multi-stage

Japanese game developer Game Freak, the firm behind the Pokémon franchise, has suffered a security breach exposing the data of 2606 employees and partners. The leak first appeared on forum 4chan in early October and is now circulating on social media and online forums under the name ‘TeraLeak’, following the naming trend of the 2020

The US Customs and Border Protection (CBP) agency has been forced to release documentation on CBP One, its border control app accused of mishandling migrants’ personal data. In December 2022, digital rights advocacy organization Access Now submitted a Freedom of Information Act (FOIA) request in the US, seeking all records from the CBP One app’s

NHS England has posted an alert relating to a critical Veeam Backup & Replication vulnerability which is now under active exploitation by ransomware groups. Successful exploitation of the vulnerability (CVE-2024-40711) could lead to remote code execution (RCE), the alert noted. RCE could allow attackers to run code on a remote device without the need for

As open source software (OSS) consumption soars, there has been a 156% surge in open source malware, according to new findings by Sonatype. More than 704,102 malicious packages have been identified since 2019, and 512,847 of these have been discovered since November 2023, the firm’s 10th Annual State of the Software Supply Chain report found.

The world’s most famous digital library has suffered a series of cyber-attacks that rendered its site, including its Wayback Machine, temporarily unavailable and exposed the data of 31 million users. On October 8, 2024, Internet Archive founder, Brewster Kahle, confirmed on X that archive.org was hit by a distributed denial-of-service (DDoS) attack before announcing a

The Australian government has introduced the country’s first standalone cybersecurity law to Parliament. The new legislation aims to better protect citizens and organizations against a heightened geopolitical and cyber threat environment. The Cyber Security Bill 2024 covers a range of areas, including mandating minimum cybersecurity standards for IoT devices and mandatory ransomware reporting for critical

Cyber-enabled fraud resulted in up to $37bn in losses for victims in East and Southeast Asia in 2023, with governments left unable to contain these threats, a United Nations (UN) report has warned. The analysis by the United Nations Office on Drugs and Crime (UNODC) highlighted that organized crime groups in the region have rapidly

New rules introduced in the UK today to refund victims of authorized push payment (APP) scams could still leave many high and dry, a non-profit has warned. The UK Chartered Trading Standards Institute (CTSI), which is dedicated to consumer protection and fair business practices, argued that the cap on the Mandatory APP Reimbursement Scheme is

A financially-motivated threat actor has been observed targeting organizations globally with a MedusaLocker ransomware variant, according to an analysis by Cisco Talos. The variant, known as “BabyLockerKZ,” has been around since at least late 2023, and this is the first time it has been specifically called out as a MedusaLocker variant. This variant uses the

Playbooks and tools are only as good as the people using them and a lack of trust and cooperation can derail even the most carefully crafted cyber response. Both technical teams and non-cyber business leaders must have the right skills and experiences to successfully deal with inevitable cyber incidents in an evolving threat landscape. The

Sellafield Ltd has been fined £332,500 ($437,440) for cybersecurity failings running the Sellafield nuclear facility in Cumbria, North-West England. The fine was issued by Westminster Magistrates Court following a prosecution brought by the Office for Nuclear Regulation (ONR), the UK’s independent nuclear regulator. Sellafield Ltd has also been ordered to pay prosecution costs of £53,253.20

The Police Service of Northern Ireland (PSNI) has been criticized for procedural failings that exposed the personal data of its officers and other staff. Meanwhile, a fine of £750,000 ($984,000) has been issued by the Information Commissioner’s Office (ICO). The data protection watchdog highlighted the significant harm and distress caused to personnel by the incident,

Meta has announced what it claims to be a “first-of-its-kind” information-sharing agreement with UK banks in a bid to arrest a growing social media fraud epidemic. The Fraud Intelligence Reciprocal Exchange (FIRE) will see high street lenders share threat intelligence with the social media giant so that it can take more targeted action to remove