Welcome reader to your CybersecurityHQ report

Brought to you by:

Cypago - Enterprise-grade Cyber GRC Platform

Cypago enables strategic decision making through a full Cyber GRC product suite to help you avoid business reputation impact, financial or client trust losses

—

Notes:

As the year comes to an end, I want to wish you happy holidays and share my gratitude for being part of this incredible journey. Building this community and connecting with each of you has been an amazing experience.

Thank you for your support and engagement. As we look forward to 2025, I am excited about everything we will achieve together. Stay tuned, as we are getting ready to launch our long-awaited AI Resume Builder, designed to help you elevate your career.

Here’s to an even more successful and inspiring year ahead. Cheers to 2025!

—

Weekly Headlines

🎧 Listen to this newsletter on our AI-powered podcast

Meta Fined €251M for Breach

Meta Platforms has been fined €251 million (~$263 million) by the Irish Data Protection Commission (DPC) for a 2018 Facebook data breach that exposed personal data from 29 million accounts, including 3 million in the EU. The breach exploited a flaw in the "View As" feature, allowing attackers to obtain account access tokens and steal data such as names, emails, phone numbers, locations, and even children's information.

The DPC cited Meta for violating GDPR by failing to adequately document the breach, address data protection in system design, and include necessary details in its breach notification. This enforcement highlights the risks of not embedding data protection during development.

This is Meta’s second major GDPR fine in 2024, following a €91 million penalty for a 2019 incident. Additionally, Meta settled a separate case in Australia with AU$50 million for misusing data during the Cambridge Analytica scandal.

Meta has since removed the flawed functionality, and the DPC emphasized the severe risks posed by such vulnerabilities.

HiatusRAT Malware Targets IoT Devices

The FBI has issued a warning (PDF) about HiatusRAT, a new Remote Access Trojan (RAT) malware targeting IoT devices, specifically Chinese-branded web cameras and DVRs with known vulnerabilities. Hackers use this malware to take control of devices remotely, focusing on Western government organizations and companies.

HiatusRAT campaigns, active since July 2022, have been linked to espionage efforts against U.S. government servers involved in defense contracts and Taiwan-based organizations. Vulnerable devices, particularly those at end-of-life or lacking vendor patches, are prime targets. Brands like Xiongmai and Hikvision are mentioned, but other vendors may also be affected.

Attackers exploit flaws such as CVE-2017-7921 and CVE-2021-36260 and use weak vendor-supplied passwords to infiltrate systems. Tools like Ingram, a webcam scanner, and Medusa, a brute-force authentication tool, facilitate these attacks. 

Quantum Chips: RSA Still Safe

Last week, Google recently unveiled its new Willow quantum chip to much fanfare—making bold claims about its significant breakthrough in computing power. But, according to Google Quantum AI director Charina Chou, Willow cannot crack RSA encryption, which secures most internet-based communications and transactions. While Willow can solve challenges in minutes that would take supercomputers billions of years, it has only 105 physical qubits—far short of the millions required to break encryption.

Apparently, the latest estimates say we are about a decade away from chips with the requisite 4 million physical qubits to accomplish the task.

To defend against this future risk, Google and others are developing post-quantum cryptography (PQC), supported by initiatives like the National Institute of Standards and Technology (NIST), which recently finalized quantum-safe cryptography standards.

Despite claims from Chinese researchers about smaller quantum computers breaking RSA encryption, experts remain skeptical. Companies worldwide, spurred by revelations like the Snowden leaks, are proactively preparing for quantum threats. Once a “cryptanalytically relevant quantum computer” (CRQC) becomes plausible, organizations will likely rush to upgrade encryption systems to ensure continued security against this emerging technology.

Framingham Study Breach Exposes Thousands

Boston University’s (BU) Framingham Heart Study (FHS), a renowned multigenerational cardiovascular research project, suffered a data breach on September 8, 2024, exposing personal and medical information of all 15,448 participants. Hackers accessed and transferred files, including names, addresses, dates of birth, and, in fewer than 2% of cases, Social Security numbers. BU IT specialists intervened to quarantine the affected servers, but not before the data was exfiltrated.

BU, in collaboration with federal agencies, has launched an investigation, hired external forensic experts, and implemented enhanced cybersecurity measures. Participants with compromised Social Security numbers are offered free credit monitoring. Notifications have been sent to all impacted individuals, outlining steps to protect against identity theft.

LastPass Breach Fuels Crypto Theft

The 2022 LastPass data breach continues to wreak havoc, with hackers recently stealing $12.38 million in cryptocurrency from 150 individual accounts. According to crypto investigator ZachXBT, the stolen funds were swiftly converted from Ethereum to Bitcoin and dispersed via instant exchanges. This incident follows another theft in October 2023, where $4.4 million was taken from over 25 victims linked to the same breach.

The original breach began in August 2022 when hackers compromised a developer account, accessing API tokens, MFA seeds, and customer keys. Despite initial assurances from LastPass that customer data was safe, further investigations revealed attackers accessed customer account information and encrypted vault backups, including usernames, passwords, and secure notes. In March 2023, hackers exploited a Plex Media software vulnerability on a senior engineer's device to retrieve decryption keys for these vaults.

This "long-tail effect" highlights the enduring impact of breaches, with cybersecurity experts emphasizing the need for robust preventative measures. ExtraHop’s Jamie Moles warned the full scale of the fallout might still be unknown.

ZachXBT included in his report a desperate plea: “I cannot stress this enough, if you believe you may have ever stored your seed phrase or keys in LastPass, migrate your crypto assets immediately.” 

Rhode Island Benefits System Breached

Rhode Island’s RIBridges benefits system was taken offline following a cyberattack that may have exposed the personal data of hundreds of thousands of users. The system—used to apply for Medicaid, SNAP, and other state benefits—has been inaccessible since Friday, impacting Rhode Islanders’ ability to access these services.

Governor Dan McKee confirmed that attackers might have obtained sensitive information, including names, addresses, and Social Security numbers of users from 2019 onward. State officials described the attack as extortion, not ransomware, and noted that the HealthSource RI healthcare marketplace was also affected.

To address the disruption, the state has provided paper applications through the Department of Human Services website and plans to restore the system before the January 31 open enrollment deadline. A call center will be available for affected users, and free credit monitoring instructions will be mailed to those impacted by the breach.

Kevin Walsh, a spokesperson for Deloitte, assured citizens, “While that investigation is ongoing, we have shown over the past decade our unwavering commitment to the state of Rhode Island and the people they serve. We will continue to work around the clock to resolve this matter.”

Cyber Deals, Big Moves, Spotlight

And now it’s time for a business news roundup. Bureau drew massive support from Sorenson Capital and Paypal in a Series B funding round that saw the startup rake in $30 million. The company prevents user identity fraud, a very popular service in today’s threat landscape.

The company already works with India’s Uber-like service Rapido and IDFC First Bank. But it is now setting its sights on Saudi Arabia and North America. Founder-CEO Ranjan Reddy said, “We are seeing a lot of demand. We need to support that with sales and marketing efforts.”

Also, Paragon—an Israel-based spyware maker—was recently acquired by AE Industrial Partners for a whopping $500 million. The mysterious company, which still lacks a website, offers customers the ability to hack phones with their Graphite product.

Among their clients are none other than US Immigration and Customs Enforcement, which has a $2 million deal with the company.

And finally, Arctic Wolf announced that it will buy BlackBerry’s Cylance endpoint security assets for $160 million plus 5.5 million common shares. That might seem impressive, but BlackBerry purchased the company eight years ago for $1.4 billion.

But Arctic Wolf appears to have a plan to make Cylance work for it in a way that BlackBerry never could.

Upgrade your subscription for exclusive access to member-only insights and services.

Upgrade to paid

Interesting Read

It’s the end of the year, so why not take time to have a little fun? In this week’s Interesting Read, we take a stroll through the tech failures and flops of 2024—reminding us to keep our hopes tempered.

In this article by Paulius Grinkevičius, we get a roundup of the biggest swings and misses of the year. These include everything from the time Microsoft tried to introduce a feature that would screenshot your activity and store it in an SQLite database to Apple’s VR debacle.

There is something strangely engaging about looking through these stories. We never quite know exactly where tech innovation is taking us, and companies pour millions of dollars into projects that are—at the end of the day—just stabs in the dark.

Twitter Highlights

Stay Safe, Stay Secure.

The CybersecurityHQ Team