Today's Cybersecurity Pulse
Bol denies alleged fake data breach of 400,000 customers
A hacker claimed to have stolen personal data of 400,000 Belgian Bol customers and posted the alleged dataset for sale on a dark‑web forum for €100 (about $109). Bol, owned by Ahold Delhaize, publicly denied any breach and said it had no knowledge of the alleged data. The story was reported by Retail Detail and SC Media.
Op-Ed: An Evolving Tide of Cyber Threats
Marco Ayala, technical director at ABS Consulting, warns that the Houston Ship Channel – the nation’s largest energy and chemicals hub handling over 300 million short tons of cargo annually – faces an escalating blend of cyber, physical and hybrid threats. Recent U.S. Coast Guard rules, NATO exercises, and AI‑driven monitoring tools highlight both the growing attack surface and the need for coordinated defense. Nation‑state actors, APT groups and ransomware gangs are targeting OT systems, risking operational shutdowns and environmental disasters. The op‑ed stresses that resilient maritime security now hinges on integrated cyber‑physical strategies and public‑private collaboration.
Synology: Three Security Advisories on Resolved Vulnerabilities
Synology issued three security advisories on April 15‑10, 2026, resolving multiple vulnerabilities in its DiskStation Manager (DSM) firmware and SSL VPN Client. The DSM advisories (SA‑26:07 and SA‑26:06) address CVE‑2026‑40540 and a suite of CVEs (2026‑40530 through 2026‑40539) that allow remote...
How Bol Fell Victim to a “Fake Data Breach”: New Trend in Cybercrime
A hacker claimed to have stolen personal data of 400,000 Belgian Bol customers and posted the alleged dataset for sale on a dark‑web forum. The offer was priced at €100 (about $109) and purported to contain names, addresses, phone numbers...
Researchers Give Malaysian Gov’t Lengthy Digital ID To-Do List
Malaysia’s MyDigital ID, launched in 2023, now serves as a single sign‑on for over 80 government and regulated private services. The Khazanah Research Institute’s discussion paper applauds its security, privacy‑by‑design and governance, but flags gaps in statutory framework, oversight, funding...
Beware: IT Impersonators Using Teams to Steal Data
Crooks are impersonating IT and reaching out via Teams, only to be granted access and steal data. https://t.co/KRcz5txxyo
Sans Institute Preps Live Systems for Nato Cyber Exercise
The SANS Institute will supply a fully operational power‑generation cyber range for NATO’s 16th Locked Shields exercise in Tallinn. For the first time the exercise will use real industrial control systems and physical equipment, letting 16 blue‑team defenders protect a national‑scale...
SUSE and Nvidia Unveil SUSE AI Factory, a Sovereign Enterprise AI Platform
At SUSECON 2026 in Prague, SUSE and Nvidia introduced SUSE AI Factory, a pre‑validated, turnkey AI platform designed for enterprises and governments that need digital sovereignty and strict security. The solution integrates SUSE Rancher Prime, SLES and Nvidia AI Enterprise...
GitLab 18.11 Launches AI‑Driven SAST Agent and Automated Merge‑Request Generation
GitLab released version 18.11, adding a platform‑native AI SAST remediation agent that auto‑generates merge requests and two new AI assistants for CI pipeline design and real‑time data analysis. The features aim to close the “AI paradox” by extending AI beyond...
Fraudsters May Target AI Mandates as Agentic Commerce Takes Off
AI‑driven agents are set to handle consumer transactions, a trend dubbed agentic commerce. McKinsey projects up to $1 trillion in U.S. B2C revenue by 2030, with a global market potential of $3‑5 trillion. Visa’s security unit observed a 450% surge in dark‑web...
Data Security Becomes a Core Skill in Modern Legal Recruitment
Law firms are increasingly recognizing data security as a core competency, driven by the sensitive nature of client information, intellectual property, and legal strategies. Cyber threats targeting these assets are rising, prompting firms to adopt encryption, multi‑factor authentication, and regular...
Europol’s Operation PowerOFF Dismantles DDoS‑for‑Hire Networks, Warns 75,000 Users
Europol led a multinational crackdown that took down 53 DDoS‑for‑hire domains, issued 25 search warrants and arrested four suspects. During the coordinated action week, 75,000 users received warning messages, and law enforcement exposed data on over 3 million criminal accounts.
ANALYSIS: Big Tech Sets AI to Catch AI
Advanced AI is reshaping cyber‑security as both a weapon and a shield. Hackers leveraged over 1,000 AI prompts to breach Mexico’s tax authority, exposing 195 million records and prompting one of the largest government data leaks. At the same time, Anthropic’s...
They Built a Legendary Privacy Tool. Now They’re Sworn Enemies
GrapheneOS, the open‑source Android hardening platform hailed as the gold standard for mobile privacy, was co‑created by Canadian security researcher Daniel Micay and a second lead developer. Over the past year, a bitter personal and strategic rift has erupted between...
Canada Life Breach Exposes Data of up to 70,000 People – Mostly Customers
Canada Life disclosed a cyber incident that exposed personal information for up to 70,000 individuals, primarily employees of a single large corporate client. The breach was carried out by the ShinyHunters hacking group, which gained unauthorized access through an employee’s...
Turkish Airlines Miles&Smiles Account Deletion Email With 800K Miles – Real Or Not?
A Turkish Airlines Miles&Smiles member with over 800,000 miles received an email stating the account would be deleted for inactivity, despite recent logins and mileage accrual. The notice originated from mail.turkishairlines.com and used generic language like "Dear Member" without personal...
The Global AI Threat Has Arrived
Anthropic unveiled Claude Mythos Preview, an AI model that can autonomously locate and exploit vulnerabilities in major operating systems and web browsers. The discovery has alarmed business leaders and policymakers worldwide, prompting concerns about a new class of AI‑driven cyber threats. Even...
Deep Dive Into the New Kill Chain
Cyberrey will present at the ITWeb Security Summit JHB 2026, unveiling what it calls a "new kill chain" driven by AI‑powered shadow IT. The firm warns that every device, API or cloud workload now creates an exponential attack surface that outpaces...
Vercel Data Breach Exposes SA Developer Community
Vercel, the US‑based platform behind the popular Next.js framework, disclosed a security incident in which attackers accessed internal systems through a compromised third‑party AI tool, Context.ai. The breach allowed the intruder to obtain non‑sensitive environment variables from a limited set...
Panasonic Creates Device-Locked QR Codes to Speed Facial Biometric Capture
Panasonic has introduced device‑locked QR codes that work only with authorized readers, streamlining facial‑biometric enrolment for its Site Management Service. The QR code carries registration data; when scanned by the system’s camera, it triggers a facial capture, eliminating the need...
Common Challenges of Online Fraud
Harold van Graan of Solid8 Technologies outlines how online fraud has evolved beyond simple transaction theft to include checkout abuse, inventory hoarding, loyalty fraud, and promo abuse. Bots can empty high‑value stock in seconds, while account‑takeover schemes siphon points and...
Public Servant Charged over Alleged NSW Treasury Document Heist
A 45‑year‑old public servant employed by the New South Wales Treasury was charged with attempting to exfiltrate more than 5,600 sensitive government documents. Police launched “Strike Force Civic” on April 20, raiding the suspect’s residence and arresting him the same day. The...
Cisco Launches Sovereign Critical Infrastructure Across EMEA
Cisco announced the launch of its Sovereign Critical Infrastructure (SCI) portfolio for customers across Europe, the Middle East and Africa. The offering bundles Cisco’s networking, security, compute, collaboration, AI and Splunk solutions into configurable, air‑gapped or hybrid on‑premises environments. It...
Mobai Certified for Cybersecurity and Privacy Protection
Norwegian digital identity company Mobai has secured ISO/IEC 27001:2022 certification, confirming its Information Security Management System meets international standards. The audit, conducted by DNV, took effect on March 30, 2026, and is crucial for its biometric services to financial, government,...
Arbitrum Freezes $71 Million in Ether Tied to Kelp DAO Exploit
Arbitrum’s Security Council moved 30,766 ETH—about $71 million—into a frozen intermediary wallet after the Kelp DAO rsETH exploit. The freeze recovers roughly a quarter of the $292 million stolen when attackers compromised a LayerZero verifier, an incident linked to North Korea’s Lazarus Group....
Ripple Wants the XRP Ledger to Be Quantum-Proof by 2028. Here Is Its Plan
Ripple announced a four‑phase roadmap to make the XRP Ledger quantum‑resistant by 2028. The plan starts with an emergency “Q‑day readiness” phase that would require all funds to move to quantum‑safe accounts and enable recovery via zero‑knowledge proofs. Subsequent phases...
Advanced AI Raises Security Risks
Palo Alto Networks warns that emerging generative AI models will soon become powerful tools for cyber attackers. In internal tests, the firm’s AI completed the equivalent of a year’s penetration testing in just three weeks and demonstrated the ability to...
10 Best Cloud Data Security Software on G2: My Top Picks
The cloud data security market, valued at $4.75 billion in 2024, is forecast to reach $11.62 billion by 2030, underscoring rapid growth. Disha C’s G2‑based guide ranks the top ten platforms, from Acronis Cyber Protect Cloud’s unified backup and AI threat detection...
Mythos Remains a Mystery as Security World Faces Rising Threats, Agentic Attacks and Concerns About AI Integrity
Anthropic’s unreleased Claude Mythos model, touted for large‑scale software analysis and automated vulnerability chaining, was highlighted by Head of Threat Intelligence Jacob Klein at the SANS Cybersecurity Summit. Klein warned that AI‑driven attacks are accelerating, citing recent breaches at Vercel...
The Illusion of Control: Why Boards Misjudge Cybersecurity Readiness
Recent research from Harvard Business Review, McKinsey, IMD and Deloitte shows corporate boards are consistently misjudging cybersecurity readiness. The missteps stem from three systemic gaps: insufficient cyber fluency, role confusion between oversight and micromanagement, and a lack of decision‑ready information....
Critical RCE Flaw Hits Flowise AI Workflow Engine, Threatening Millions of DevOps Pipelines
Security firm OX Security disclosed a critical remote code execution vulnerability in Flowise, an open‑source AI workflow builder used in CI/CD pipelines. The flaw stems from Anthropic's Model Context Protocol (MCP) SDKs and affects an estimated 200,000 instances across more...
Is Indonesia’s Digitalisation Push Leaving MSMEs Exposed?
Indonesia’s finance sector is experiencing a surge in cyber scams, with phishing attacks targeting the industry at a 24.42% rate—far above other sectors. The Financial Services Authority (OJK) reports that scams occur three to four times more often in Indonesia...
SANS Stormcast Tuesday, April 21st, 2026: CVE and EPSS; Windows Server 2025 OOB; QEMU Abuse;
In this 5‑minute Stormcast episode, Johannes Ulrich discusses the surge of new CVEs and the limitations of the NVD, introducing the Exploit Probability Scoring System (EPSS) as a scalable way to prioritize vulnerabilities. He then covers Microsoft’s out‑of‑band patch for...
20 New Security Enhancements Boost Internet Protection
I’m so encouraged by the way our team and industry peers have shown up to protect the internet. We’ve now shipped over 20 product improvements across Dashboard and CLI to help your security posture. Easier to set up MFA, audit your Environment...
Fime Launches Agentic Commerce Trust Layer Service
Fime has launched FACT (Framework for Agentic Commerce Trust), a "trust‑as‑a‑service" platform that secures AI‑driven financial transactions. The service adds intent validation, real‑time policy monitoring, transaction‑level attestation and independent auditor agents, enabling merchants to accept AI‑initiated payments while giving banks...
Woodway Assurance Launches EviData Feature to Tackle Quebec and EU Anonymization Rules
Woodway Assurance introduced an automated inference‑risk assessment module for its EviData platform, aimed at meeting Quebec's privacy regulations and the EU's GDPR. The feature debuted today at a Toronto event co‑hosted with PwC Canada, giving organizations a scalable way to...
BePrime Breach Leaks 12.6 GB of Client Data and Exposes 1,858 Network Devices
BePrime, a Mexican cybersecurity provider to firms like Iberdrola and Whirlpool, confirmed a hack that leaked 12.6 GB of data and gave attackers control of 1,858 Cisco Meraki devices. The breach, attributed to missing multi‑factor authentication, underscores supply‑chain risk in the...
Vibe Coding Upstart Lovable Denies Data Leak, Cites 'Intentional Behavior,' Then Throws HackerOne Under the Bus
AI coding platform Lovable, valued at $6.6 billion, faced a Broken Object Level Authorization (BOLA) vulnerability that allowed any free‑account user to view other users’ source code, database credentials, and chat history. The flaw, reported 48 days earlier, was first dismissed...
The Web Is Gaslighting AI Agents and Nobody Can Tell
Researchers at Google DeepMind have identified a new class of threat called “AI Agent Traps,” where hidden instructions embedded in ordinary web pages can manipulate autonomous AI agents. The paper outlines six attack vectors, including content injection and semantic manipulation,...
Alabama Becomes Latest State to Enact Comprehensive Privacy Law
Alabama Governor Kay Ivey signed the Alabama Personal Data Protection Act (APDPA) on April 16, 2026, making it the latest state to adopt a comprehensive consumer privacy law. The statute, which takes effect on May 1, 2027, applies to businesses that process the data...
Commentary: Southeast Asia’s Scam Centres Are a New US-China Battleground
Cyber‑fraud scam centres across Southeast Asia entrap roughly half a million people and siphon about $43.8 billion a year, roughly 40% of the region’s combined GDP. China and the United States both vie to lead anti‑fraud initiatives, but their competing digital...
Ethereum Offers Upgradeable, Limit‑enforced Contracts; Canton Lacks Protection
What's possible on Ethereum that's not possible on Canton? "You can set limits, you can make it upgradeable with keys in cold storage by Circle in a multisig, and this smart contract. enforces limits. "You cannot do this on Canton. Your...
Startup Accidentally Exposes Personal Info via Public Roadmap
A startup just CCed me its roadmap because a) its roadmap is on Github and b) minor notes on that roadmap named my Twitter account which c) lexically equivalent to my Github account. Had never thought of that route for information...
Vuln in Google’s Antigravity AI Agent Manager Could Escape Sandbox, Give Attackers Remote Code Execution
Researchers at Pillar Security disclosed a critical vulnerability in Google’s Antigravity AI‑powered developer tool that allowed prompt injection to escape the platform’s Secure Mode sandbox and achieve remote code execution. The flaw leveraged the native "find_by_name" system tool, which bypassed...
Voluntary Security Attestations Boost Open‑Source Supply‑Chain Safety
Our colleagues at Open Regulatory Compliance have released statement on article 25 of the EU's CRA. Voluntary security attestations can help sustain open source and improve supply chain security. We support the joint ORC statement. 👇 https://t.co/3iGhnJ58RT
The FTC’s AI Portfolio Is About to Get Bigger
The Federal Trade Commission is preparing to enforce the Take It Down Act, a law that criminalizes the distribution of AI‑generated nonconsensual sexual images and gives victims a right to request rapid removal of such content. Enforcement begins in May,...
Retirees Are a Prime Target for Identity Theft. This 15-Minute Checkup Could Save You Thousands
Retirees are increasingly targeted by identity thieves, with the FBI reporting an average loss of $38,500 per victim in 2025. The article outlines a four‑step, 15‑minute checkup—credit monitoring, Social Security review, Medicare statement audit, and password hygiene—to curb fraud. It...
Scaling Mobile Authentication Across The Modern Enterprise
Enterprises are rapidly adopting mobile authentication to replace static badge systems, driven by AI investments and a tech‑savvy workforce. A recent HID report shows nearly two‑thirds of security leaders are deploying or planning mobile credentials, citing benefits such as instant...
ASIC, APRA Among Regulators Monitoring Anthropic's Mythos
Australian and Asian financial regulators are intensifying scrutiny of Anthropic's AI model Mythos after it demonstrated a powerful ability to uncover software vulnerabilities. ASIC and APRA in Australia, Hong Kong’s HKMA, South Korea’s FSS and FSC, and Singapore’s MAS have all...
DeFi Must Rethink Trust After Lazarus Breaks Eight Protocols
"If Lazarus can break 8 different protocols in 8 different ways, then DeFi has to stop working from the framework of assuming that all transactions are legitimate." 👀 -- @austincampbell https://t.co/xtIdxNvnOf
Security Firm Releases 114m-Record Dataset Built From Live Enterprise Attack Traffic
WitFoo, a US‑New Zealand security vendor, released the Precinct 6 Cybersecurity Dataset, a free, Apache‑2.0‑licensed collection of 114 million labelled security‑event records captured from five enterprise networks in mid‑2024. The data spans telemetry from 158 products across more than 70 vendors, with 99.34%...