Security intelligence covering Asset Security: Data classification, ownership, privacy protection, retention policies, and data security standards.https://cipherwatch.io/en-gbhttps://cipherwatch.io/articles/2026-06-16-irhythm-cardiac-monitoring-data-breach-phi/https://cipherwatch.io/articles/2026-06-16-irhythm-cardiac-monitoring-data-breach-phi/iRhythm Holdings disclosed a data breach after social engineering granted attackers access to third-party systems hosting protected health information for approximately 12 million patients. A ransom demand was received on 9 June, and HIPAA breach notification timelines are now active for any covered entity whose patient data iRhythm processes.Tue, 16 Jun 2026 00:00:00 GMThealthcaredata-breachphihipaasocial-engineeringransomwarehttps://cipherwatch.io/articles/2026-06-15-novo-nordisk-clinical-trials-data-breach/https://cipherwatch.io/articles/2026-06-15-novo-nordisk-clinical-trials-data-breach/Danish pharmaceutical giant Novo Nordisk has disclosed a cybersecurity incident in which attackers gained unauthorised access to IT systems holding personal data of clinical trial participants, including individuals enrolled in GLP-1 receptor agonist trials for Ozempic and Wegovy. The breach raises significant regulatory concerns under EU clinical trial data protection requirements and the ICH GCP framework governing trial participant data handling.Mon, 15 Jun 2026 00:00:00 GMTpharmaceuticalclinical-trialshealthcaredata-breachgdprnovo-nordiskgcptrial-participant-datahttps://cipherwatch.io/articles/2026-06-14-dell-idrac-dsa-2026-239-privilege-escalation-poweredge/https://cipherwatch.io/articles/2026-06-14-dell-idrac-dsa-2026-239-privilege-escalation-poweredge/Dell has patched a high-severity privilege escalation vulnerability in the iDRAC9 remote management controller affecting PowerEdge servers across multiple generations. CVE-2026-23856, rated CVSS 8.8, allows a low-privileged authenticated attacker to escalate to Administrator rights on the iDRAC management plane — granting control over server power, firmware, BIOS settings, and virtual console access outside the scope of the host operating system.Sun, 14 Jun 2026 00:00:00 GMTdellidraccve-2026-23856privilege-escalationpoweredgeserver-managementhardware-securitybmchttps://cipherwatch.io/articles/2026-06-13-chrome-enterprise-browser-management-zero-day/https://cipherwatch.io/articles/2026-06-13-chrome-enterprise-browser-management-zero-day/CVE-2026-11645's active exploitation before the patch highlights a persistent gap in enterprise browser management: many organisations do not maintain accurate browser version inventories or have the ability to push browser updates faster than the standard monthly patch cycle. This guide covers Chrome fleet management, version enforcement, and emergency update deployment.Sat, 13 Jun 2026 00:00:00 GMTchromegooglebrowser-securityasset-managementcve-2026-11645enterprise-browserfleet-managementgroup-policyintunecbcmhttps://cipherwatch.io/articles/2026-06-11-windows-server-patch-velocity-june-2026-enterprise/https://cipherwatch.io/articles/2026-06-11-windows-server-patch-velocity-june-2026-enterprise/After the largest Microsoft Patch Tuesday of 2026, enterprise teams face the challenge of patching Windows Server fleets at emergency speed while avoiding the outages that come with untested updates. This article addresses patch deployment sequencing, testing compression strategies, and rollback planning for the June 2026 emergency patch cycle.Thu, 11 Jun 2026 00:00:00 GMTwindows-serverpatch-managementasset-managementwsussccmintunevulnerability-managementpatch-velocityenterprise-operationshttps://cipherwatch.io/articles/2026-06-06-free-apps-smart-tvs-residential-proxy-nodes-ai-scraping/https://cipherwatch.io/articles/2026-06-06-free-apps-smart-tvs-residential-proxy-nodes-ai-scraping/Research published this week reveals that multiple free consumer applications are silently enrolling Android TV devices and Smart TV platforms as exit nodes for residential proxy networks, routing third-party AI web scraping and data harvesting traffic through household internet connections. Users receive free app access; their bandwidth and IP address are sold to commercial proxy operators without meaningful disclosure.Sat, 06 Jun 2026 00:00:00 GMTsmart-tvresidential-proxyandroid-tvconsumer-devicesprivacyunauthorized-accessiot-securityshadow-infrastructurehttps://cipherwatch.io/articles/2026-06-05-magento-ecommerce-platform-security-inventory/https://cipherwatch.io/articles/2026-06-05-magento-ecommerce-platform-security-inventory/CVE-2026-45247's CISA KEV status means organisations running Mirasvit Full Page Cache Warmer are now under a federal mandate to remediate — and should be asking whether their eCommerce platform inventory is accurate enough to comply. Magento deployments often span multiple versions, extension states, and customisation layers that make attack surface visibility a genuine challenge.Fri, 05 Jun 2026 00:00:00 GMTmagentoecommercecve-2026-45247asset-inventorypci-dssplatform-securityextension-managementhttps://cipherwatch.io/articles/2026-06-03-linux-kernel-patch-enterprise-asset-management/https://cipherwatch.io/articles/2026-06-03-linux-kernel-patch-enterprise-asset-management/The CVE-2026-46243 disclosure — a 19-year-old kernel flaw with a public root exploit and distribution patches already available — is a useful lens for examining how enterprises manage Linux kernel versions as security-relevant assets. Many organisations have robust patch management for applications but inconsistent processes for kernel updates, particularly on specialised infrastructure like database hosts and container nodes.Wed, 03 Jun 2026 00:00:00 GMTlinuxkernelpatch-managementasset-managementcve-2026-46243vulnerability-managementfleet-trackinghttps://cipherwatch.io/articles/2026-06-02-android-enterprise-mobile-patch-management-emm/https://cipherwatch.io/articles/2026-06-02-android-enterprise-mobile-patch-management-emm/The June 2026 Android Security Bulletin — which includes an actively exploited zero-day — highlights a structural challenge for enterprise Android fleet management: Google publishes a patch, but enterprise coverage depends on OEM update timelines, carrier approval processes, and EMM deployment policies that can extend the effective exposure window by weeks. This guide covers a practical approach to managing the gap.Tue, 02 Jun 2026 00:00:00 GMTandroidmobile-securityemmenterprise-mobilitypatch-managementmdmintuneasset-managementsamsung-knoxhttps://cipherwatch.io/articles/2026-05-28-amd-cpu-firmware-enterprise-asset-management/https://cipherwatch.io/articles/2026-05-28-amd-cpu-firmware-enterprise-asset-management/CVE-2026-46174 requires a PI firmware (BIOS/UEFI) update to deliver the AMD Zen 2 microcode fix — not a software patch. For enterprises running AMD EPYC Rome servers or Zen 2-based workstations, this means a separate patch track from OS-level vulnerability management. An asset-based approach to CPU generation inventory is the prerequisite.Thu, 28 May 2026 00:00:00 GMTamdzen2firmwareasset-managementmicrocodeepycbios-updatehardware-securityhttps://cipherwatch.io/articles/2026-05-26-apple-retroactive-cve-disclosures-macos-ios-transparency/https://cipherwatch.io/articles/2026-05-26-apple-retroactive-cve-disclosures-macos-ios-transparency/Apple updated multiple security pages on 26 May to add CVE identifiers and technical details for vulnerabilities that were patched weeks or months earlier with minimal public disclosure. The retroactively disclosed issues include a CoreServices root escalation via malicious app, a Siri Private Browsing bypass, and a call history fingerprinting flaw — none were disclosed as separate security updates at the time of patching.Tue, 26 May 2026 00:00:00 GMTapplemacosioscve-disclosuretransparencyprivacyroot-escalationpatch-managementhttps://cipherwatch.io/articles/2026-05-19-eolife-network-equipment-asset-management-lifecycle/https://cipherwatch.io/articles/2026-05-19-eolife-network-equipment-asset-management-lifecycle/The SonicWall Generation 6 end-of-life situation reveals a consistent gap in enterprise asset management: network equipment EoL dates are not tracked with the same rigour as software licence renewals or server hardware refresh cycles. Organisations with accurate, proactively managed network equipment lifecycle records have a weeks-to-months advantage in responding to EoL-driven security risks.Tue, 19 May 2026 00:00:00 GMTasset-managementend-of-lifenetwork-equipmentsonicwallvpnlifecyclecmdbhttps://cipherwatch.io/articles/2026-05-15-teampcp-mistral-ai-code-repository-theft/https://cipherwatch.io/articles/2026-05-15-teampcp-mistral-ai-code-repository-theft/The TeamPCP extortion group is advertising stolen Mistral AI source code repositories on dark web forums, claiming access was obtained as a side effect of the Shai-Hulud npm supply chain campaign targeting AI development infrastructure. The breach potentially exposes Mistral's proprietary model training code, API infrastructure, and internal tooling to competitors and nation-state actors.Fri, 15 May 2026 00:00:00 GMTmistral-aisource-code-theftteampcpsupply-chainintellectual-propertyhttps://cipherwatch.io/articles/2026-05-11-zara-inditex-data-breach-197k-confirmed/https://cipherwatch.io/articles/2026-05-11-zara-inditex-data-breach-197k-confirmed/Inditex has confirmed that a breach of Zara customer data exposed the personal information of approximately 197,000 people, substantiating the ShinyHunters extortion claim from late April 2026. Exposed data includes names, email addresses, postal addresses, phone numbers, and purchase history. European GDPR notification has been filed and affected customers are being contacted.Mon, 11 May 2026 00:00:00 GMTzarainditexdata-breachshinyhuntersgdprretailcustomer-datapiihttps://cipherwatch.io/articles/2026-05-07-openemr-critical-cves-100k-healthcare-providers/https://cipherwatch.io/articles/2026-05-07-openemr-critical-cves-100k-healthcare-providers/Aisle security researchers have disclosed 38 vulnerabilities in OpenEMR — the world's most widely deployed open-source electronic medical records and practice management system, used by over 100,000 healthcare providers globally. Three of the vulnerabilities are critical, allowing unauthenticated remote code execution and patient record exfiltration. OpenEMR 7.0.2 patch 2 addresses all reported issues; unpatched instances are a direct patient data and regulatory liability.Thu, 07 May 2026 00:00:00 GMTopenemrhealthcareemrpatient-datacritical-vulnerabilityrcehipaagdprmedical-recordshttps://cipherwatch.io/articles/2026-05-06-salesforce-marketing-cloud-ssti-contacts-db-exposure/https://cipherwatch.io/articles/2026-05-06-salesforce-marketing-cloud-ssti-contacts-db-exposure/SL Cyber researchers have disclosed five patched vulnerabilities in Salesforce Marketing Cloud (ExactTarget), the most critical of which — a server-side template injection flaw — allowed an authenticated marketing user to exfiltrate the complete contacts database and historical email campaign content of any Salesforce Marketing Cloud instance. The vulnerabilities were patched by Salesforce; organisations should verify which contact data and historical communications were accessible to marketing team members.Wed, 06 May 2026 00:00:00 GMTsalesforcemarketing-cloudtemplate-injectiondata-exposuressticrmcontact-datagdprhttps://cipherwatch.io/articles/2026-05-03-instructure-canvas-lms-data-breach/https://cipherwatch.io/articles/2026-05-03-instructure-canvas-lms-data-breach/Instructure, the company behind Canvas Learning Management System used by thousands of universities and K-12 school districts globally, has disclosed a cybersecurity incident affecting an internal infrastructure component. The scope of student, faculty, and institutional data potentially exposed is under forensic investigation. Institutions running Canvas should activate their incident response contact with Instructure and review data sharing scope.Sun, 03 May 2026 00:00:00 GMTdata-breacheducationlmsstudent-dataferpaprivacyhttps://cipherwatch.io/articles/2026-05-02-trellix-source-code-repository-breach/https://cipherwatch.io/articles/2026-05-02-trellix-source-code-repository-breach/Cybersecurity vendor Trellix has confirmed unauthorised access to an internal source code repository, with law enforcement notified and a forensic investigation ongoing. The breach raises concerns about potential weaponisation of security product internals against Trellix's enterprise customer base.Sat, 02 May 2026 00:00:00 GMTdata-breachsource-code-theftsecurity-vendorthreat-intelligencesupply-chainhttps://cipherwatch.io/articles/2026-05-01-dprk-ai-npm-malware-fake-firms/https://cipherwatch.io/articles/2026-05-01-dprk-ai-npm-malware-fake-firms/North Korean threat actors have launched a new wave of npm supply chain attacks using AI-generated malicious package code that bypasses static analysis tools, fake software development firms as cover identities, and a multi-stage RAT that exfiltrates source code, cryptographic keys, and credentials from developer workstations. The campaign targets blockchain, DeFi, and fintech developers — organisations in these sectors should audit npm dependencies and developer machine security.Fri, 01 May 2026 00:00:00 GMTdprknorth-koreanpmsupply-chainai-generated-malwaresource-code-theftcrypto-theftrathttps://cipherwatch.io/articles/2026-04-28-medtronic-breach-shinyhunters-9-million-medical-records/https://cipherwatch.io/articles/2026-04-28-medtronic-breach-shinyhunters-9-million-medical-records/Medtronic, the world's largest medical device manufacturer, has confirmed a data breach after the ShinyHunters threat actor claimed to have stolen nine million patient records. The breach includes patient names, device serial numbers, implant dates, clinic details, and in some cases diagnostic data from cardiac, diabetes, and spinal device programmes across 150 countries. Regulatory notifications under HIPAA, GDPR, and MDR are expected.Tue, 28 Apr 2026 00:00:00 GMTbreachhealthcaremedical-devicesshinyhuntersgdprhipaapatient-datahttps://cipherwatch.io/articles/2026-04-28-rituals-cosmetics-data-breach-40-million/https://cipherwatch.io/articles/2026-04-28-rituals-cosmetics-data-breach-40-million/Amsterdam-based luxury cosmetics brand Rituals has disclosed a breach of its My Rituals membership platform affecting potentially up to 40 million registered members across its 1,170-plus retail locations in 37 countries. Exposed data includes names, contact details, date of birth, gender, and purchase history. The breach carries significant GDPR obligations as Rituals is headquartered in the EU.Tue, 28 Apr 2026 00:00:00 GMTbreachgdprretailpiimembership-dataeu-data-protectionhttps://cipherwatch.io/articles/2026-04-26-france-titres-ants-breach-11m-identity-records/https://cipherwatch.io/articles/2026-04-26-france-titres-ants-breach-11m-identity-records/France's national secure-ID document agency confirmed a breach affecting 11.7 million citizens — roughly one in five residents — after threat actor 'breach3d' claimed to have exfiltrated records including names, dates of birth, addresses, email addresses, and phone numbers. CNIL, ANSSI, and the Paris Public Prosecutor have been notified. Organisations operating in France face elevated customer account fraud and social engineering risk from the compromised data.Sun, 26 Apr 2026 00:00:00 GMTdata-breachpiigovernmentidentitygdprfrancehttps://cipherwatch.io/articles/2026-04-25-adt-breach-shinyhunters-vishing-customer-pii/https://cipherwatch.io/articles/2026-04-25-adt-breach-shinyhunters-vishing-customer-pii/ADT, the US home and business security monitoring provider, has confirmed a data breach after ShinyHunters used voice phishing to social-engineer a support employee into granting access to customer management systems. Names, phone numbers, and account data were exfiltrated. The incident underlines how thoroughly attackers have made help desk social engineering a standard tool.Sat, 25 Apr 2026 00:00:00 GMTdata-breachvishingshinyhunterssocial-engineeringpiihelp-deskhttps://cipherwatch.io/articles/2026-04-24-fake-crypto-wallet-apps-apple-app-store-seed-phrase-theft/https://cipherwatch.io/articles/2026-04-24-fake-crypto-wallet-apps-apple-app-store-seed-phrase-theft/Researchers have discovered 26 malicious applications that bypassed Apple's App Store review and actively harvest cryptocurrency wallet seed phrases from victims. Users who installed any suspect app should rotate all wallet credentials immediately — mnemonic phrase compromise results in permanent, irreversible asset loss.Fri, 24 Apr 2026 00:00:00 GMTmobile-securitycryptocurrencymalwareappledata-thefthttps://cipherwatch.io/articles/2026-04-23-grinex-sanctioned-crypto-exchange-13m-hack/https://cipherwatch.io/articles/2026-04-23-grinex-sanctioned-crypto-exchange-13m-hack/Grinex, a cryptocurrency exchange linked to the sanctioned Garantex operation, suspended all services after attackers drained $13.74 million in a targeted April 15 incident. The exchange blamed 'hostile state intelligence agencies,' pointing to the attack's technical sophistication. Elliptic and Chainalysis analysts have traced the funds but stop short of confirming attribution. The shutdown removes a significant node in Russia's sanctions-evasion infrastructure.Thu, 23 Apr 2026 00:00:00 GMTcrypto-theftsanctions-evasionrussiagrinexgarantexstate-sponsoredfinancial-crimehttps://cipherwatch.io/articles/2026-04-22-everest-ransomware-citizens-bank-data-breach/https://cipherwatch.io/articles/2026-04-22-everest-ransomware-citizens-bank-data-breach/The Everest ransomware group claims to have stolen 380 GB of Citizens Bank customer data via a third-party vendor, including 250,000 Social Security Numbers and 3.4 million banking records. Citizens attributes the breach to a vendor, not its core systems — but regulatory notification obligations apply regardless.Wed, 22 Apr 2026 00:00:00 GMTransomwareeverestdata-breachfinancial-sectorthird-party-riskpii-exposurehttps://cipherwatch.io/articles/2026-04-22-shinyhunters-zara-carnival-7-eleven-extortion/https://cipherwatch.io/articles/2026-04-22-shinyhunters-zara-carnival-7-eleven-extortion/Prolific threat actor ShinyHunters posted simultaneous claims of data theft from Inditex/Zara, Carnival Corporation, and 7-Eleven on dark web forums on 21 April, threatening to publish stolen datasets. None of the companies has confirmed the breaches. Given ShinyHunters' track record, claims should be treated as credible pending investigation.Wed, 22 Apr 2026 00:00:00 GMTdata-breachshinyhuntersextortionretaildark-webpii-exposuredata-brokerhttps://cipherwatch.io/articles/2026-04-19-mcgraw-hill-shinyhunters-salesforce-breach/https://cipherwatch.io/articles/2026-04-19-mcgraw-hill-shinyhunters-salesforce-breach/Education publisher McGraw Hill has confirmed a data breach affecting 13.5 million accounts after the ShinyHunters cybercriminal group threatened to publish 45 million Salesforce records. The breach stemmed from a misconfiguration within Salesforce's environment — one McGraw Hill acknowledges is part of a broader issue affecting multiple organisations. Over 100GB of data has been publicly released.Sun, 19 Apr 2026 00:00:00 GMTdata-breachshinyhunterssalesforcemisconfigurationcloud-securityedtechextortionthird-party-riskhttps://cipherwatch.io/articles/2026-04-17-standard-bank-breach-1-2tb-client-data-leaked/https://cipherwatch.io/articles/2026-04-17-standard-bank-breach-1-2tb-client-data-leaked/A threat actor claiming to have spent three weeks inside Standard Bank's network has published approximately 1.2TB of stolen data online, including client names, national identity numbers, account details, and a subset of credit card numbers. One of Africa's largest banks, Standard Bank operates across more than 20 countries and holds significant international exposure. The double-extortion attack pattern and lessons for database-layer monitoring are directly relevant to financial services defenders globally.Fri, 17 Apr 2026 00:00:00 GMTdata-breachfinancial-servicesdouble-extortioncredit-carddatabase-securityincident-responsehttps://cipherwatch.io/articles/2026-04-14-basic-fit-breach-one-million-european-members/https://cipherwatch.io/articles/2026-04-14-basic-fit-breach-one-million-european-members/Dutch fitness chain Basic-Fit has disclosed a data breach affecting approximately one million members across six European countries, with bank account details among the compromised data. The breach targeted the company's visit-tracking system, exposing names, contact details, dates of birth, and banking information. GDPR notifications have been filed.Tue, 14 Apr 2026 00:00:00 GMTbreachbasic-fitgdpreuropepersonal-databanking-datanetherlandsdata-classificationhttps://cipherwatch.io/articles/2026-04-12-booking-com-reservation-data-breach-phishing-risk/https://cipherwatch.io/articles/2026-04-12-booking-com-reservation-data-breach-phishing-risk/Booking.com has disclosed unauthorised access to customer reservation data including names, contact details, and booking information. No payment data was taken, but the exposed reservation details create a high-quality dataset for targeted travel-themed phishing campaigns. Reservation PINs have been reset across affected bookings.Sun, 12 Apr 2026 00:00:00 GMTbreachbooking-comphishingtraveldata-exposuregdprpersonal-datahttps://cipherwatch.io/articles/2026-04-10-lapd-world-leaks-city-attorney-breach/https://cipherwatch.io/articles/2026-04-10-lapd-world-leaks-city-attorney-breach/Extortion group World Leaks has published more than 337,000 sensitive LAPD files — including officer personnel records, Internal Affairs investigations, and witness medical information — after breaching a third-party legal discovery transfer tool used by the Los Angeles City Attorney's Office. The incident illustrates how legal and compliance workflows that touch sensitive data are increasingly targeted as a softer entry point than agency systems themselves.Fri, 10 Apr 2026 00:00:00 GMTdata-breachextortionthird-party-riskpolice-recordsdiscovery-dataworld-leakssensitive-datahttps://cipherwatch.io/articles/2026-04-09-anodot-snowflake-saas-integrator-breach/https://cipherwatch.io/articles/2026-04-09-anodot-snowflake-saas-integrator-breach/The ShinyHunters threat group breached Anodot, an AI analytics platform used to integrate with Snowflake cloud data warehouses, and stole authentication tokens that enabled downstream data theft from over a dozen Snowflake customer environments. The attack is a textbook fourth-party risk incident: the direct target was not the victim organisations' systems but a trusted third-party integration layer.Thu, 09 Apr 2026 00:00:00 GMTsnowflakeanodotsaassupply-chainshinyhuntersdata-thefttoken-theftthird-party-riskcloud-securityhttps://cipherwatch.io/articles/2026-04-08-chipsoft-ransomware-dutch-healthcare/https://cipherwatch.io/articles/2026-04-08-chipsoft-ransomware-dutch-healthcare/Dutch healthcare IT vendor ChipSoft, whose HiX electronic patient record system is used by approximately 80% of hospitals in the Netherlands, was struck by a ransomware attack on 7 April. Eleven hospitals have disconnected from ChipSoft systems and reverted to emergency paper procedures. ChipSoft has confirmed a 'data incident' with possible unauthorised access to patient records, and Z-CERT has advised all connected healthcare institutions to disconnect VPN links to the vendor.Wed, 08 Apr 2026 00:00:00 GMTransomwarechipsofthealthcarepatient-datanetherlandsthird-party-riskz-certehrhttps://cipherwatch.io/articles/2026-04-03-dell-idrac-cve-2026-23856-privilege-escalation/https://cipherwatch.io/articles/2026-04-03-dell-idrac-cve-2026-23856-privilege-escalation/Dell has patched CVE-2026-23856, a privilege escalation vulnerability in the iDRAC Service Module (iSM) shipped with PowerEdge servers. A local attacker with standard user privileges can exploit improper access controls in the iSM — which runs with elevated system privileges to communicate with the hardware management interface — to elevate to SYSTEM or root. Updated iSM packages are available for both Windows and Linux.Fri, 03 Apr 2026 00:00:00 GMTdellidracpoweredgecve-2026-23856privilege-escalationfirmwareserver-securityhttps://cipherwatch.io/articles/2026-03-25-infinite-campus-shinyhunters-k12-breach/https://cipherwatch.io/articles/2026-03-25-infinite-campus-shinyhunters-k12-breach/Infinite Campus, the K-12 student information system used by over 3,200 school districts across 46 US states, has warned customers of a security incident after ShinyHunters claimed to have stolen data via a Salesforce ticketing system compromise on 18 March. The company confirmed the attack lasted 38 minutes and primarily exposed school staff contact details, asserting no student database access occurred — but the threat actor's extortion deadline has passed without resolution.Wed, 25 Mar 2026 00:00:00 GMTdata-breachshinyhunterseducationsalesforcek12student-dataextortionsocial-engineering