Managing AI Risks in Organizational Adoption and Usage
The Heist
It started with an email. A routine request from the CFO to the finance department, instructing them to expedite payment to a new vendor. The message bore all the usual signs of legitimacy—familiar language, corporate jargon, and even the CFO’s signature, perfectly replicated. The email security system flagged nothing unusual.
The finance team complied, unaware that the CFO had never sent the request.
Behind the scenes, (more…)
The Silent Threat: How PCI DSS 4.0.1 Tackles Service Account Vulnerabilities
While organizations rightly prioritize protecting employee accounts from cybersecurity threats, particularly those with elevated privileges, service accounts too often receive less attention despite their critical nature. Service accounts operate silently in the background, running critical business applications and services that are essential for operations.
The importance of securing service accounts is now formally recognized in PCI DSS v4.0.1, which introduces new requirements taking effect March 31, (more…)
Satisfying the SAQ-A Eligibility Criteria Update
Are You Outsourcing eCommerce?
Our recent article PCI SSC Updates SAQ A: Removal of Key E-Commerce Security Requirements & New Eligibility Criteria outlined significant requirement updates – who this affects and next steps. These requirements are still part of PCI DSS v4.0.1 and the March 31, 2025 deadline. However, SAQ type A merchants are no longer required to validate compliance with them, as long as (more…)
The New PCI DSS v4.0.1 Software Catalog Mandate: Are You Ready?
Some of the 51 future dated requirements of the new PCI DSS v4.0.1 that become effective on March 31, 2025, are related to inventory management. Let’s start by talking about software. In the digital era, software has become the fundamental engine powering organizational operations, and your organization undoubtedly relies on a variety of software applications to conduct business, many of which are bespoke or (more…)
Compromised Credential Leads to Major Educational Data Leak Powerschool
Description
K-12 schools manage vast amounts of sensitive personal information about students and educators. Many school districts utilize a cloud service provider to host this data and provide insights and analytics. PowerSchool stands as the leading provider of cloud-based education software for K-12 education in the United States, serving over 55 million students and 17,000 educational institutions across more than 90 countries. On December 28, 2024, PowerSchool (more…)
More Corporate Giants are Victims to the MOVEit Vulnerability
Description
There is an adage that says, “Old habits die hard.” Exploitable vulnerabilities die equally hard as well. It was May 28, 2023, when the MOVEit vulnerability was first identified. MOVEit is a secure Managed File Transfer (MFT) software developed by Progress Software that securely transfers files and data between servers, systems, and applications. The vulnerability known as CVE-2023-34362 allows hackers to bypass authentication on unpatched (more…)
Toymaker Settles Data Breach Class Action Suit for $500,000
Description
Squishable, a New York based company that makes cute and cuddly companion toys for children, suffered what is referred to as a Magecart attack that affected nearly 16,000 customers back in 2022. These types of attacks are carried out by injecting malicious scripts into e-commerce sites to steal payment information. In Squishable’s case, the malicious code was present on their website from May 26 to (more…)
Dental Center Agrees to Settlement of $2.7 Million for Data Breach
Description
Great Expressions Dental Centers, a Michigan-based dental service organization with nearly 300 affiliated practices across the United States, experienced a significant data breach in February 2023. The incident affected approximately 1.9 million patients and employees. Over a six-day period, an unauthorized party potentially accessed personal information of both employees and patients. For employees, the compromised data included names, Social Security numbers (SSNs), driver’s license (more…)
