This week
- CISO’s unite in G7, OECD plea for simple regulation
- Financially motivated nation-state attacks on the rise
- M&S Cyber incident, good comms, minimal disruption
- Just logging in: hacking is initial vector in a small proportion of breaches
- FBI Cybercrime reports are up 33%
Interesting stats
$16 billion in losses reported to the FBI’s Internet Crime Complaint Center in 2024, 3,165 crimes were reported (up 33%) LINK
Microsoft has released some details of its Secure Future Initiative; the second progress report details some interesting data points:
34,000 FTEs working on high-priority security tasks for the last 11 months (by my fag-packet maths, that’s ~$7 billion in salary costs!) 97% of our production infrastructure assets centrally (I wonder what the other 3% are?) 14 “Deputy CISOs across Microsoft have completed a risk inventory and prioritization, creating a shared view of enterprise-wide security risk” (suggesting there wasn’t a shared view before 🤔) 6.3 million “legacy tenants” have been removed (holy tech debt, Batman!) LINK
Plus more — it’s RSA week, so lots of vendor reports — see the main ones below…
Five things
- Not just any cyber-attack… this is an M&S cyber-attack: The UK high-street retailer has suffered disruption this week, with Click and Collect orders and contactless payments initially being affected. Later in the week, contactless payments came back, while new app and website orders were halted. Some of the fallout appears to be precautionary, with the M&S team isolating services to contain the incident and an update highlighting the “proactive decision to move some of our processes offline”. Stores have remained open throughout. I think CEO Stuart Machin’s comms sent out to customers early in the week are a great example of what good looks like. They acknowledge the issues, reassure customers, and aren’t full of cyber-lingo. M&S has notified the London Stock Exchange, Information Commissioner, and engaged external support. LINK, MORE
-
Data! Data! Data!: Starting with Verizon DBIR 2025, as usual there is a boatload of data in this report. Here’s my attempt at a summary so you don’t have to wade through the 115-page report yourself. External actors (81%) still dwarf internal and partners (18% and 1.2%, respectively) as the source of incidents. Excluding error and misuse, initial access vectors are still predominately ‘non-hacking’: using stolen credentials (22%; down from 31% last year) and phishing (16%; which often leads to credential abuse) combined almost double exploitation of vulnerabilities (20%; up a third YoY). This matches IBM’s X-Force report, also released this week, which says its IR team mainly tackled incidents involving valid credentials and exploited public apps (both 30% of case volume), tell CyberScoop “They’re logging in, versus hacking in”. Motivations remain largely financial (89%), though espionage has risen (17%; up 163%). State actors aren’t solely concerned with espionage now: financial motives were noted in 28% of state-sponsored breaches; think, for example, about North Korean attacks. Mandient’s M-Trends report differs slightly, with a greater number of vulnerability exploits perhaps reflecting the firm’s focus on responding to nation-state attacks, where DBIR also suggests there’s a greater emphasis on hacking-in. Mandient says the top tatted industries are financial (17%), business and professional services (11%), high tech (11%), government (10%), and healthcare (9%). DBIR, DBIR 2025 (PDF), IBM, MANDIENT, M-TRENDS
-
A group of CISOs is calling on G7 governments and the OECD to focus on harmonising cyber security regulations. Over 40 CISOs from a wide range of companies, including Microsoft, NatWest Group, DHL, Swisscom, Canadian National Railroad, and National Australia Bank, signed the letter. It supports “efforts to strengthen cybersecurity and resilience” but cautions against the divergence of domestic legislation and regulation, which “is adding complexity to our companies’ operational cyber defense and ability to defend against growing cyber threats”. The inclusion of the Organisation for Economic Co-operation and Development (OECD) is interesting though sensible, given the focus on standards and practices to “help drive and anchor reform in more than 100 countries around the world”. LINK, LETTER (PDF)
-
The Post Office did not own the code and, therefore, could not inspect the transaction system as the heart of the faulty Horizon IT system, developed by Fujitsu, that resulted in the wrongful conviction of hundreds of sub-postmasters. Code-ownership aside, I’ve seen quite a few clients with similar issues around the assurances they can contractually obtain from their suppliers. It’s clear that there were major failings in Fujitsu’s Horizon system and the Post Office’s response to concerns raised by its sub-postmasters. This, in some ways, relates to the demonstrable evidence JPMorgan’s CISO is asking for in their letter below. LINK (h/t Simon)
-
Patrick Opet, CISO at JPMorgan, has penned an open letter to third-party suppliers asking them to do better: he says SaaS providers are “quietly enabling cyber attackers” and “substantial vulnerability that is weakening the global economic system”. Opet calls on suppliers to go beyond slogans, properly prioritise security and provide “demonstrable evidence that controls are working effectively, not simply relying on annual compliance checks”. LINK
In brief
-
🤓 Interesting reads: You can use LLMs to create proof of concept exploits from CVEs and patch diffs in an afternoon now. Signal jammers and privacy film will be used to protect the secrecy of Conclave proceedings at the Vatican in the coming weeks as the Catholic Church selects a new pope. LLMs, CONCLAVE
-
⚠️ Incidents: Japan’s Financial Services Agency is warning that 1,454 fraudulent trades totalling $315 million have been made from compromised brokerage accounts. It’s believed attackers phished the credentials. The brokerages will cover customer’s losses. Cryptocurrency Ripple’s recommended JavaScript library “xrpl.js” was compromised, with wallet seeds and private keys stolen. A man has been charged for gaining unauthorised access to Australia’s largest court system and downloading more than 9,000 files between January and March this year. Health insurer Blue Shield of California misconfigured Google Analytics and leaked patients’ searches and health information “for years”; Google may have used the data to target ads. A Spanish municipal water company north of Barcelona has reported a cyber incident, though water suppliers and control systems were unaffected. South African telco MTN Group, which operates in 20 countries and has over 200 million subscribers, says it suffered a breach exposing the personal information of an unknown number of customers. JAPAN, RIPPLE, COURT, BLUE SHIELD, WATER, MTN
-
🏴☠️ Ransomware: Yale New Haven Health has suffered a suspected ransomware attack resulting in the loss of contact information, social security numbers, and other demographic data on over 5.5 million patients. YALE
-
🕵️ Threat Intel: British firms are being urged to hold video or in-person interviews with remote IT workers as Google warns that the UK is a target for North Korea work scams. Southeast Asian scammers and expanding in South America and Africa as Chinese and Thai authorities step up efforts against the criminal gangs. GreyNoise says it’s seeing an 800% increase in Ivanti VPN scans in the last week, potentially indicating a precursor to attacks. There have been quite a few critical vulnerabilities in Ivanti appliances in 2025. IT WORKERS, SCAMMERS, IVANTI
-
🪲 Vulnerabilities: SAP has released an emergency update to fix a remote code execution zero-day being actively exploited by attackers (CVE-2025-31324; 10/10). SAP (ADVISORY (sign-in req’d))
-
🧑💻 End user and consumer: In Google’s monopoly case, the DOJ is pushing for the divestment of Chrome and Android; OpenAI is interested in acquiring it. CHROME, OPENAI
-
🧰 Guidance and tools: The World Economic Forum and the University of Oxford have released The Cyber Resilience Compass, a white paper based on workshops and interviews with 102 security experts across 18 sectors. The seven thematic areas, such as leadership, GRC, culture, and crisis management, will be familiar to practitioners. There are some interesting case studies included. LINK, WHITE PAPER (PDF)
-
📜 Policy & Regulation: The EU has fined Apple and Meta €500 million and €200 million, respectively, for violations of the Digital Markets Act (DMA) rules, which ensure “citizens have full control over when and how their data is used online, and businesses can freely communicate with their own customers.” US Secretary of State Mark Rubio wants to move the Bureau of Cyberspace and Digital Policy under the State Department’s economic affairs wing, a demotion of sorts, and shift from a broad range of issues, including military, to a purely economic focus. APPLE, META, STATE DEPT
-
👮 Law Enforcement: The FBI is offering a $10 million bounty for information about the China-linked Salt Typhoon threat group. SALT TYPHOON
-
💰 Investments, mergers and acquisitions: Cynomi has raised a $37 million Series B funding round for its AI-powered ‘SMB virtual CISO’. Endor Labs has landed a $93 million Series B amidst a pivot from open-source package to AI-generated code security scanning. CYNOMI, ENDOR
-
🗞️ Industry news: Senior CISA Bob Lord and Lauren Zabierek have announced their departure from the US domestic cyber agency, while Madhu Gottumukkala will join the agency as second-in-command from their current South Dakota State CISO position. Phil Venables has left his position as CISO of Google Cloud to join San Francisco-head-quartered VC firm Ballistic Ventures. CISA DEPARTURES/ARRIVALS, VENABLES,
And finally
- A reminder if you’re heading to the RSA Conference that I’d love to meet up. Especially if you’d be generous enough to share how you approach governance, risk management and compliance in your organisation or would like to hear how Cydea can help you boost your security programme. Drop me a line! LINKEDIN