This week
- JLR says data access during recent attack
- Salesloft threat actors gained access via GitHub account in March
- US winds up State Department disinformation cooperation agency
- US sanctions individuals linked to Myanmar scam compounds
- Switzerland is considering identity requirements for service providers
Interesting stats
17% increase in the average cost of an individual ransomware attack, with such events accounting for 76% (2024: 46%) of H1 incurred losses for insurer Resilience. LINK
Five things
-
Jaguar Land Rover: The British car maker says that threat actors accessed some data. It’s unknown whether the data is internal company information, customer data, or supplier information; however, the Information Commissioner’s Office has been notified, suggesting that personal data may have been compromised. Meanwhile, the government is being urged to act as some smaller firms in JLR’s supply chain are understood to be weeks away from going bust. The automotive industry operates on a ‘just in time’ basis that leaves little inventory or resilience for disruption. DATA, SUPPLY CHAIN
-
Salesloft says that attackers gained access to a company GitHub account back in March, and continued to have access through June. In a report detailing updates to its incident response investigation, Salesloft states that the attackers were able to access code repositories and subsequently pivot their access into Salesloft’s AWS environment. Once in AWS, they were able to steal Salesloft customer API tokens for integrations, such as with Salesforce — one of the primary use cases for the Drift chatbot — and gain onward access to customer data. SALESLOFT, REPORT
-
Disinformation: The US is ending joint efforts with European countries to combat disinformation from Russia, China, and Iran. It comes as the final winding down of the State Department’s Global Engagement Center (GEC). Republican lawmakers accused the agency of censorship, and Trump administration officials celebrated being “proud to spike the entire GEC” for “infamous censorship activity profoundly misaligned with this administration’s pro-free speech position”. It’s hard not to see this as, former head of the centre James Rubin put it, an “act of disarmament”. GEC
-
Cyberscam compounds: The US Treasury Department sanctioned multiple Burmese, Cambodian, and Chinese nationals this week for involvement in scam centres. Scam centres deserve more attention: The UN believes hundreds of thousands of people have been trafficked to Myanmar by gangs who beat and torture them if they don’t achieve quotas of scam messages. This piece in The Guardian, also published this week, tells the story of Duncan Okindo, a Kenyan national who was lured to Thailand with promises of a lucrative IT job, only to be smuggled across the border to Myanmar. While many of us focus on cybercriminal or nation-state threat actors and ingenious exploits, it’s easy to dismiss or belittle ‘scammers’. So it’s worth taking a moment to recognise the scale and brutality of what’s going on here. These scam compounds are huge, with some comprising tens of buildings and resembling towns (see photo below). Myanmar, in a state of civil war, makes an attractive location for organised crime gangs, and the number of scam compounds along the Thai border has risen from 11 to an estimated 26 in the last four years. SANCTIONS, STORY
- Switzerland: VPN providers and privacy-centric technology companies like Proton are raising concerns over Swiss government proposals to regulate service providers with more than 5,000 users. The proposals include collecting government-issued identification from users, retaining subscriber information for a period of six months, and potentially disabling encryption. Proton has gone as far as to start moving its infrastructure outside the country, which is long-famed for its privacy-friendly stance. SWITZERLAND
In brief
-
⚠️ Incidents: Plex, a media streaming platform, is telling users to reset their passwords because attackers managed to gain access to authentication data held by the company, including email addresses, usernames, and hashed passwords (h/t Tom). HelloGym, which provides call handling services to fitness companies like Anytime Fitness, left 1.6 million call recordings publicly accessible in an unsecured AWS bucket. UK railway company LNER has suffered a third-party data breach, exposing contact and journey details, and is warning customers to be cautious of potential scams. PLEX, HELLOGYM, LNER
-
🕵️ Threat Intel: The HybridPetya ransomware strain is capable of bypassing Secure Boot, making it possible to hijack a PC before Windows loads. ESET, which discovered the sample, say the code appears to be a proof-of-concept, though it marks the fourth known boot kit with this type of capability. HYBRIDPETYA
-
🪲 Vulnerabilities: SAP is advising customers to update their NetWeaver platforms (which run things like their ERP and CRM systems) after fixing three critical vulnerabilities, including one ‘perfect 10’ severity issue. The vulnerabilities include insecure deserialization of data, file operations, and missing authentication checks (CVE-2025-42944, CVE-2025-42922, and CVE-2025-42958; 10, 9.9, 9.1/10, respectively). SAP (ADVISORY)
-
🧿 Privacy: Atlantic Council research shows that the United States has leapfrogged Israel to become the largest investor in commercial spyware. Also this week, Apple launched the iPhone 17 and its A19 processor, with ‘Memory Integrity Enforcement’ (MIE), a five-year effort to combat memory corruption vulnerabilities commonly used by spyware to gain a foothold on devices. SPYWARE, MIE
-
📜 Policy & Regulation: The UK’s Cyber Security and Resilience Bill (CSRB) has faced further delay due to last week’s Starmer government reshuffle. Versions of the bill have been on the cards since 2022 under the Conservative government, and earlier this year, the Labour government said it would introduce the flagship cyber legislation this autumn. Business minister Chris Bryant didn’t give Parliament a revised date, but said it would be introduced “soon”. The NSA and Cyber Command will remain under the same dual-hat leadership, contrary to Trump administration plans, after officials estimated that the time required to split the two organisations may take up to six years. NSA/CYBERCOM, CSRB
-
👮 Law Enforcement: Charges against Ukrainian national Volodymyr Viktorovich Tymoshchuk have been unsealed, alleging him to be the administrator of the Nefilim, MegaCortex, and LockerGoga ransomware, the latter used against Norsk Hydro in 2019. Aleksanteri Kivimäki was released from custody this week while he appeals his conviction for the Vastaamo psychotherapy centre data breach. The incident made headlines after all 20,000 patients received individual extortion demands. Under Finnish law, he is presumed innocent while the appeal is made, hence the release. LOCKERGOGA, VASTAAMO
-
💰 Investments, mergers and acquisitions: Mitsubishi Electric will acquire Nozomi Networks, an OT cyber company, in a deal valued near the $1 billion mark. Nozomi, which generated $75 million in revenue in 2024, will continue to operate as an independent subsidiary of the industrial company. F5 is acquiring CalypsoAI for $180 million to integrate AI protections into F5’s application security platform. NOZOMI, CALYPSOAI
-
🗞️ Industry news: M&S’s chief digital and technology officer is leaving the company. The UK Ministry of Defence is looking for a CISO (I’m reliably told, contrary to the LinkedIn posting, it’s not based in Indiana!). M&S, MOD
And finally
-
Pirelli has launched the Cyber Tyre, but rather than using its ‘proprietary algorithms and real-time communications’ to get a grip on cyber security, those fancy sensors will detect slips and slides in cars like those made by launch partner Aston Martin. Cyber in the digital-prefix sense, not the security sense. CYBER TYRE
-
It’s also been six years since I founded Cydea. I take a Quick Look at some of the highs from the last 12 months here on LinkedIn. Thank you for subscribing, and double thanks if you’re also a collaborator or customer! 😊