Almost weekly, a customer contacts me asking for a penetration test. However, what they really want is a vulnerability scan. Or, they ask for a vulnerability scan, but what they need is a Risk Assessment. I don't know how the mix-up started, but I know it's not the customer's fault. Most of the time, it is an IT (Information Technology) or IS (Information Security) vendor that should know better. READ MORE...
Kelly & Associates Insurance Group (dba Kelly Benefits) is informing more than half a million people of a data breach that compromised their personal information. The Maryland-based health and life insurance agency has issued an update on a security incident it suffered last year between December 12-17, when unauthorized actors breached its IT systems and stole files. On April 9, 2025, the company stated that the incident impacted 32,234 individuals. READ MORE...
Qantas has suffered a cyber incident that has lead to a data breach. "The incident occurred when a cyber criminal targeted a call centre and gained access to a third-party customer servicing platform," the Australian airline announced today, but said that all of its systems remain secure and its operations haven't been affected. The company detected unusual activity on a third-party platform used by that contact center on Monday, June 30, 2025. READ MORE...
Google has released an update for its Chrome browser to patch an actively exploited flaw. This update is crucial since it addresses an actively exploited vulnerability which can be exploited when the user visits a malicious website. It doesn't require any further user interaction, which means the user doesn't need to click on anything in order for their system to be compromised. READ MORE...
A recent study suggests, contrary to popular belief, that most phishing awareness initiatives aren't having a material impact on employee cybersecurity. One of the most widely repeated, least examined memes in the cybersecurity industry is that, even more than technical solutions, organizations can best secure themselves by teaching cyber awareness among their employees. Building a "human firewall," to protect an organization's otherwise "weakest link." READ MORE...
Federal authorities levied sanctions Tuesday on Aeza Group, a bulletproof hosting service provider based in Russia, for allegedly supporting a broad swath of ransomware, malware and infostealer operators. Aeza Group has provided servers and specialized infrastructure to the Meduza, RedLine and Lumma infostealer operators, BianLian ransomware and BlackSprut, a Russian marketplace for illicit drugs, according to the Treasury Department's Office of Foreign Assets Control. READ MORE...
Just as attackers have exploited search engine optimization (SEO) techniques to push phishing content in search engine results, expect to soon see them leverage AI-optimized content to influence the outputs of large language models (LLMs) for the same purpose. Making the task possible for them is the tendency by LLMs to often return incorrect domain information in response to simple natural language queries, according to a recent experiment by Netcraft. READ MORE...
A vulnerability in the Forminator WordPress plugin could allow attackers to take over more than 400,000 impacted websites. A popular form builder plugin with more than 600,000 active installations, Forminator supports the creation of various types of forms, including contact and payment forms, polls, and more. The WordPress plugin was found vulnerable to CVE-2025-6463 (CVSS score of 8.8), an arbitrary file deletion flaw that exists because file paths are not sufficiently validated. READ MORE...