In today’s cybersecurity news…
Workday confirms data breach
Over the weekend, the human resources technology giant confirmed that threat actors accessed a third-party customer relationship database, obtaining personal information. This database typically stores contact information, so names, emails, and phone numbers were likely exposed. The company said there is “no indication of access to customer tenants” in the breach, but didn’t entirely rule it out. No word on which third-party was breached, but given the recent swath of Salesforce-hosted databases targeted, it wouldn’t be surprising to see another. Workday added a “no index” tag to its blog post disclosing the breach, so it didn’t surface in search.
An alliance to unify post-quantum cryptography
Late last week, IBM Consulting, Keyfactor, Quantinuum, and Thales announced the Quantum-Safe 360 Alliance, which will provide enterprises with post-quantum cryptography assessments and mitigations using their combined resources. This formalizes existing individual contractual relationships between the four companies. The new alliance released a whitepaper with their launch announcement, detailing best practices for crypto agility, which it defined as “the ability to swiftly adopt and implement quantum-safe cryptographic standards that can evolve and adapt to emerging challenges.”
New Chinese threat actor targeting Taiwan
Researchers at CISO Talos identified this new group, designated UAT-7237. The group successfully accessed a Taiwanese web host, targeting VPN access and cloud infrastructure for its customers. This is part of a larger focus on long-term access and data theft. The researchers found signs of the group being active since 2022, likely a subgroup of UAT-5918, which mainly focused on espionage operations in Taiwan. This offshoot uses open-source tools in its attacks, like a customized version of Shellcode loader.
“Serial hacker” sentenced to 20 months
Sadly, this story has nothing to do with General Mills or the RS-232 standard. Instead, a 26-year-old UK man received this sentence after pleading guilty to a variety of cybercrime charges. This included hacking into over 3,000 sites, including accessing the website for the Yemen Ministry of Foreign Affairs, deploying vulnerability scanners on Yemeni government sites, accessing admin pages for Israeli Live News, and stealing personal data on millions of Facebook, Netflix, and PayPal users. In many cases, the attack also included defacing sites with political and religious messages. He was arrested in 2022 based on information received from US law enforcement and pleaded guilty on March 17th.
Huge thanks to our sponsor, Conveyor
Most solutions just give you a browser extension to copy and paste answers, still leaving hours of manual work.
With Conveyor, you don’t have to slog through it yourself.
Just open the portal and Conveyor’s AI will scroll through each page, find the questions, and fill in answers for you—start to finish.
Spend less time battling portals and more time on work that matters. Learn more at www.conveyor.com.
Bragg humbled by cyberattack
Bragg Gaming Group, a leading casino game producer, disclosed that threat actors accessed its internal environment. In its preliminary investigation, the company said it found no evidence that personal information was intercepted, and it doesn’t anticipate the attack disrupting operations. The company said it brought in an outside cybersecurity team to respond to the incident. This marks the third cyberattack on a major casino gaming firm in the past year, with both Ainsworth Game Technology and International Game Technology attacked in November.
Grok exposes AI persona prompts
Earlier this year, XAI’s Grok chatbot released AI personas, which strongly flavor interactions and information output. 404 Media reports that several researchers found the underlying prompts for these personas exposed in the hydration.js on the Grok web app. These give underlying character backgrounds, likes, dislikes, quirks, tone, catchphrases, and interaction instructions. A significant subset of these instructions was uploaded to GitHub. 404 Media verified the prompts were still available online at the time of its reporting.
Banking trojan infrastructure exposed in source code leak
Researchers at Hunti.io discovered an open directory containing the source code for the v3 ERMAC Android banking trojan. This included the actual malware code, as well as details on the exfiltration server, deployment configurations, and obfuscator. ERMAC has been around since at least 2021. Still, this latest version can target sensitive information across more than 700 apps, with expanded capabilities to perform form-injections, mess with SMS functions, and extract Gmail information. Using the exposed code, the researchers were able to identify C2 endpoints and other infrastructure, many of which included hardcoded tokens and default root credentials. This allowed for a temporary disruption of ERMAC malware as a service capabilities, and provides better indicators of compromise.
Transcribing calls with millimeter-wave radar
A hat tip to Bruce Schneier for pointing out this research paper presented at the 2025 ACM WiSec conference about a technique called WirelessTap to eavesdrop on calls. This uses commercially available millimeter-wave radars in the 77-81 GHz range to detect vibrations from phone earpieces and convert them into audio. The effective range was up to 300cm, about 9 feet, although even at a more optimal 50cm, the accuracy of transcription from that audio was only 59.25. The researchers used the project to highlight “the evolving risks of artificial intelligence and sensor systems being misused as technology advances.”
(Schneier on Security, ACM Digital Library)
Oracle reportedly ousts longtime security chief
Bloomberg’s sources say Oracle is parting ways with its first and longtime Chief Security Officer, Mary Ann Davidson, as part of a reorganization. She joined Oracle back in 1988, moving from product marketing to the company’s secure systems division in 1993, serving as CSO since at least 2003. In a June regulatory filing, Oracle said former Walmart CISO Robert Duhart now supervised day-to-day cybersecurity operations. We don’t usually cover staffing changes on this show, but this seemed notable given her longtime role as a CSO at a core technology company.