The Target: Digital payments giant PayPal
The Take: Hackers had access to names, addresses, Social Security numbers, individual tax identification numbers and dates of birth.
The Vector: The threat actors behind the PayPal breach used a tactic called credential stuffing, where attackers use stolen username/password combinations from one data breach to attempt to log into other websites and services.
This breach is critical reminder that zero-day exploits do happen, and furthermore that patching software in a timely, effective manner is a key component of ensuring customer data is protected. Ensuring third-party vendors are deploying patches and fixes in accordance with a firm’s cybersecurity policy is an important step in an overall robust security posture.
Investment News: The constantly evolving landscape of third-party risks that are seen by Finra staff have been highlighted in its 2025 Regulatory Oversight Report.
PYMNTS: Cybersecurity is a major concern for CFOs of middle-market firms, especially those facing high uncertainty due to fluctuating demand, supply chain disruptions, or macroeconomic volatility. These challenges create financial strain and long-term strategic setbacks.
World Economic Forum: While the complexity of today's cyber environment is daunting, our focus at the World Economic Forum's Centre for Cybersecurity must be on translating this complexity into concrete actions that organizations can implement to enhance their resilience.
GlobeNewswire: Rise in cyber threats and surge in remote work trends are the factors expected to propel the growth of the global cybersecurity market. However, factors such as high implementation costs and a shortage of skilled professionals are anticipated to hamper the growth of the global market.
CSO Online: As chairman of the board for Cinturion Group, Richard Marshall is intimately involved in ensuring the security of the fiber optic network his company is constructing from India through the Middle East and on to Europe.
CNBC: DeepSeek said it would temporarily limit user registrations “due to large-scale malicious attacks” on its services, though existing users will be able to log in as usual.
MarketScreener: India's central bank said its chief has urged banks to tighten their oversight on cybersecurity issues and to have systems in place that can prevent digital fraud.
The Target: Otelier, previously known as MyDigitalOffice, is a cloud-based hotel management solution used by over 10,000 hotels worldwide to manage reservations, transactions, nightly reports, and invoicing.
The Take: The small samples seen by BleepingComputer include a broad range of data, including hotel guest reservations, transactions, employee emails, and other internal data. Some of the personal information exposed includes hotel guests' names, addresses, phone numbers, and email addresses.
The Vector: The threat actors behind the Otelier breach told BleepingComputer that they initially hacked the company's Atlassian server using an employee's login. These credentials were stolen through information-stealing malware, which has become the bane of corporate networks over the past few years.
This breach highlights the extreme importance of timely software updates for known software vulnerabilities, not only in systems directly under a firm’s control, but in third-party systems the firm relies upon as well. The longer a firm, or its vendors, hold out on deploying the most up-to-date software for their systems, the greater the chance an attacker will exploit the issue.
Business Wire: As organizations expand their digital ecosystems, the complexity of managing firewall policies across hybrid and multi-cloud environments continues to rise.
CSO Online: If your enterprise operates in Europe, you should care about the Digital Operational Resilience Act (DORA), which took effect on January 17.
Dark Reading: In its first full day, the Trump administration axed all advisory committee members within the Department of Homeland Security, including the people that make up the Cybersecurity and Infrastructure Security Agency's (CISA) Cyber Safety Review Board (CSRB).
PYMNTS: With scams, fraud and new ways for criminals to commit financial crimes springing up seemingly by the hour, the World Economic Forum 2025 in Davos, Switzerland, has placed cybersecurity front and center.
EU Startups: Zynap, a Barcelona-based cybersecurity startup leveraging Gen-AI to fight cybercrime proactively by simulating cyber threat tactics, has announced its launch and close of their €5.7 million funding round to fuel their expansion plans.
Yahoo Finance: Cognizant and CrowdStrike announced a strategic partnership to drive enterprise security transformation by delivering cybersecurity services, powered by the AI-native CrowdStrike Falcon® cybersecurity platform.
TechCrunch: During his first day in office, President Donald Trump revoked a 2023 executive order signed by former President Joe Biden that sought to reduce the potential risks AI poses to consumers, workers, and national security.
The Target: Japanese electronics manufacturer Casio.
The Take: For the nearly 6,500 employees impacted, basic information collected by human resources was accessed, including names, employee numbers, email addresses and departments. Some employees had other information like gender, date of birth and home address leaked while a small number of those affected had taxpayer ID numbers exposed.
The Vector: An investigation conducted by an outside cybersecurity firm sourced the ransomware attack back to phishing emails that allowed the hackers into Casio’s servers.
As phishing actors continue to explore every potential abuse opportunity on legitimate service providers, novel security gaps constantly threaten to expose users to severe risks. It is essential not to rely solely on email protection solutions, and also scrutinize every email that lands on your inbox, look for inconsistencies, and double-check all claims made in those messages.
CNBC: The Biden administration announced an executive order on cybersecurity that imposes new standards for companies selling to the U.S. government and calls for greater disclosure from software providers.
Forbes: The Securities and Exchange Commission (SEC) implemented new rules governing the reporting of material data breaches in order to keep investors better informed about the cybersecurity risks public companies face.
Investing.com: Legal & General UCITS ETF PLC, a prominent investment management company, has announced an upcoming change to one of its sub-funds, specifically the L&G Emerging Cyber Security ESG Exclusions UCITS ETF.
Cybersecurity Dive: Cybersecurity risk, including ransomware, data breaches and IT disruptions, remained the top business concern in the U.S. and worldwide over the past year, according to the Allianz Risk Barometer.
Crunchbase: Cybersecurity venture investment jumped 43% in 2024 from the previous year as big rounds came back strong. That was despite flat funding quarter to quarter in Q4 and a smaller number of deals during the year.
CSO Online: The US Cybersecurity and Infrastructure Security Agency (CISA), along with its international cybersecurity allies, has unveiled the "Secure by Demand" guidelines to safeguard operational technology (OT) environments.
U.S. Securities and Exchange Commission (SEC): The Securities and Exchange Commission filed settled charges against Ashford Inc. for materially false and misleading disclosures to investors regarding a cyber incident.
The Target: PowerSchool is a cloud-based software solutions provider for K-12 schools and districts that supports over 60 million students and over 18,000 customers worldwide. The company offers a full range of services to help school districts operate, including platforms for enrollment, communication, attendance, staff management, learning systems, analytics, and finance.
The Take: PowerSchool has confirmed that the stolen data primarily contains contact details such as names and addresses. However, for some districts, it could also include Social Security numbers, personally identifiable information, medical information, and grades.
The Vector: After investigating the incident, it was determined that the threat actor gained access to the portal using compromised credentials and stole data using an "export data manager" customer support tool. Using this tool, the attacker exported the PowerSchool SIS 'Students' and 'Teachers' database tables to a CSV file, which was then stolen.
This breach is a stark reminder of how strong authentication controls are in an overall robust cybersecurity posture, and that good password hygiene plays a pivotal role in protection.
Funds Europe: Railpen, the pension manager of the UK rail industry, and Royal London Asset Management (RLAM) have jointly published a report to address the growing threat of cybersecurity risks in investment portfolios.
Cybersecurity Dive: The lookback on cybersecurity funding underscored a continuing trend toward larger deals in the sector. Total funding was up year over year while the number of rounds declined.
SecurityWeek: Funding raised by cybersecurity firms increased to $9.5 billion last year amid a decrease in funding volume, a new report from cybersecurity recruitment firm Pinpoint Search Group shows.
Forbes: I was recently at an executive forum and engaged in a dialogue with roughly a dozen peers. The routine introductions broke the ice until I shared that I was in the cybersecurity field.
PR Newswire: According to the findings of a new report from Arelion, a staggering 90 percent of decision makers believe that hackers are more likely to trick AI-based cybersecurity tools than those operated by humans - especially for 34 percent of US and 29 percent of UK business leaders.
The Record: The Trump administration shouldn’t abandon an effort to get federal agencies to set cybersecurity priorities as part of their annual budget requests, the nation’s outgoing cyber czar said.
Yahoo News: The U.S. cyber watchdog agency CISA said there was "no indication" the recently reported breach at the U.S. Treasury Department had affected any other federal agency.
Castle Hall helps investors build comprehensive due diligence programs across hedge fund, private equity and long only portfolios More →
Montreal
1080 Côte du Beaver Hall, Suite 904
Montreal, QC
Canada, H2Z 1S8
+1-450-465-8880
Halifax
84 Chain Lake Drive, Suite 501
Halifax, NS
Canada, B3S 1A2
+1-902-429-8880
Manila
Ground Floor, Three E-com Center
Mall of Asia Complex
Pasay City, Metro Manila
Philippines 1300
Sydney
Level 15 Grosvenor Place
225 George Street, Sydney NSW 2000
Australia
+61 (2) 8823 3370
Abu Dhabi
Floor No.15 Al Sarab Tower,
Adgm Square,
Al Maryah Island, Abu Dhabi, UAE
Tel: +971 (2) 694 8510
Copyright © 2021 Entreprise Castle Hall Alternatives, Inc. All Rights Reserved.
Terms of Service and Privacy Policy