this week in security — june 8 2025 edition
THIS WEEK, TL;DR
Supreme Court allows DOGE to access Social Security Administration data
Bloomberg ($): Breaking news late on Friday night *record screeches*... the Supreme Court now says Elon Musk's DOGE team can access sensitive data on millions of Americans stored by the Social Security Administration. The U.S. top court lifted restrictions that a lower court judge said were necessary to protect the privacy of millions of people living in America. The U.S. solicitor general, in arguing the case, said DOGE can't eliminate fraud and waste if its personnel can't access the data they seek. That data includes highly sensitive personal, tax, marriage and employment information, including Social Security numbers, birth and marriage records, tax records and earnings data, employment histories and bank and credit card information, per Bloomberg. "With that, the Supreme Court's conservatives allowed DOGE access to any and every person's Social Security data," writes Lawdork's @chrisgeidner. The three liberal justices dissented, with Justice Jackson arguing the decision creates "grave privacy risks." On top of the horrendous security practices by DOGE, as newly detailed by the Washington Post ($), who knows where our Social Security data will end up? And it's not as if we can FOIA for DOGE's records, since that's something else the court also determined on Friday...
More: Supreme Court [PDF] | NPR | Associated Press | NBC News | @chrisgeidner
White House drops mixed bag cybersecurity executive order
Politico: Also Friday, the White House dropped a mixed-bag executive order, which made for light (lol) weekend reading. The order repeals a bunch of Obama- and Biden-era cyber initiatives aimed at making the U.S. cyber safer. All of this comes in the face of widespread staff cuts at CISA, aka much of the people who were making all this happen. The executive order also reverses a Biden effort that encouraged U.S. agencies to start issuing and accepting digital identity documents; now seen as a path for allegedly facilitating "entitlement fraud and other abuse," the Trump order states. FederalNewsNetwork breaks down the order in more detail, including the elimination of efforts to research secure AI systems and requiring federal vendors to attest to following security practices (following the 2019/2020 SolarWinds attack by Russia); while Politico notes the order makes efforts to beef up encryption requirements in preparation of the arrival of quantum computers, and highlights a weird provision that seems to excuse foreign meddlers of U.S. elections from sanctions, which… seems odd, no?
More: White House | BankInfoSecurity | FederalNewsNetwork | @ericgeller
U.K. tax office admits losing £47 million to criminals posing as taxpayers
HM Revenue & Customs: Skipping to my OG homeland of the United Kingdom… organized criminals managed to extract some £47 million of His Majesty's finest pounds (or $64 million in U.S. freedom units) from the country's tax office, HMRC. The criminals posed as taxpayers, setting up thousands of new online accounts using stolen identity information, and fraudulently claiming money from the government. HMRC wasn't hacked, per se, but clearly got caught short on spotting the dodgy activity. (This sort-of attack happens a fair bit during the U.S. tax season, too; it's also why it's important to file your taxes early!) HMRC's top tax boff said the £47 million stolen "was a lot of money, and it's very unacceptable," which… yeah, not great for taxpayers but also not ideal knowing organized criminals are now £47M better resourced.
More: Reuters ($) | BBC News
Phone cracker Cellebrite to acquire Corellium for $170 million
Cellebrite: Cellebrite — yes, that Cellebrite, the forensics giant that makes technology for cops that can hack into phones — is buying the phone virtualization startup Corellium, the company that until 2023 Apple was trying to shut down. The deal will go down for about $170 million; a sizable payday for Corellium's founder, Chris Wade, who was in 2020 secretly pardoned by Trump for what later transpired to be email spamming. Cellebrite, for its part, was recently in the news after cancelling its contract with Serbia after human rights investigators found the company's technology was being abused by local police to break into phones of citizens to plant spyware. The subtext with this new Corellium purchase is that Cellebrite now has its own pipeline for identifying new vulnerabilities, bean to cup.
More: Forbes ($) | TechCrunch | Cyberscoop
~ ~
THE STUFF YOU MIGHT'VE MISSED
Microsoft, CrowdStrike, others agree on common threat actor taxonomy
Microsoft: Tech giants Microsoft, CrowdStrike, Google and Palo Alto Networks are trying to fix a problem they themselves largely created by agreeing on a common taxonomy for threat actors, so now all finally agree that the companies are all talking about the same group of hackers behind a threat group's name. But, crucially, the companies didn't agree on calling them all by the same name. Or, as @maldr0id accurately put the whole situation:
OpenAI executive says ChatGPT 'ingests' cloud data
Exponential View: New nightmare IT scenario unlocked: Per OpenAI's top product officer, oft-errant chatbot ChatGPT can now ingest data from Google Workspace, Microsoft 365, Dropbox, Box and more. As noted by @mattjay, that's a potentially major data headache, as employees invariably allow AI tools access to their company's data without realizing (or knowing) it'll ultimately get used to "improve" (heavy quotes) the chatbot. Remember, companies; It's a good idea to limit third-party access to your data!
The secret history of Trump's personal phone
The Atlantic ($): The Atlantic takes an alarming look at the history of Trump's use of his personal cellphone, and its apparent (ostensible?) security. Apparently, despite his phone number being widely out there, Trump is "not walking around with a run-of-the-mill iPhone off the shelf,” an adviser told The Atlantic. (The White House declined to explain more.) It might not matter, if the underlying phone network is still a hot mess of flaws capable of eavesdropping on calls, number spoofing, and impersonation — and, of course — a president willing to simply pick up the phone to anyone. Who needs to hack his phone when you can easily catch his ear? Or, worse, both.
Vanta bug exposed customers' data to other customers
TechCrunch: Just what you don't want from a compliance startup that knows everything about your security posture... Vanta admitted that 4% of its customers (read: hundreds out of 10,000+ customers) had some of their private data shared with other customers. Vanta said it was a product code change that caused the data exposure flub, and not a cyberattack. The company has refused to specify what data was exposed, but an affected customer told me that this included names, roles, and information about some tools, such as whether MFA was in use. You know, the totally normal stuff that a malicious attacker might find useful. (Disclosure alert: I wrote this story!)
~ ~
~ ~
OTHER NEWSY NUGGETS
New details emerge in Coinbase breach: Reuters has a new, more complete timeline of how the recent breach at Coinbase went down. The incident was blamed on contractors at Indian outsourcing firm TaskUs, which led to a breach of $400 million in lost funds. Hundreds of TaskUs employees were later fired, sparking protests among employees, who accuse the company of mistreatment. Ultimately, who was to blame for the breach? Yes, Coinbase, the billion-dollar crypto giant for not locking down its customers' data enough. (via Reuters ($))
Indian startup servers wiped: Grocery startup KiranaPro said it was breached and its GitHub and AWS servers wiped in a rare destructive attack, in what the company blamed on an insider incident, specifically a former employee. But, not so fast! My TechCrunch colleague @jagmeets13 quizzed the company's co-founder and CTO, who both conceded that they couldn't rule out an external breach after all and described a litany of their own security failings, including not offboarding the former employee's account after they left. (via TechCrunch)
Meta, Yandex deanonymizing users: Legendary reporter @dangoodin has a belter of a story on how Meta and Yandex, whose pixel-sized trackers are embedded in millions of websites, are deanonymizing Android users and bypassing Android privacy sandboxing protections in the process. It's heavy reading and complex, but this is ultimately bad because it means these tech giants can link the web browsing habits of real identities across the internet. Meta halted the practice after it was, well, caught out before it got busted by Google. (via Ars Technica, The Register)
Apple gave thousands of users' push notifications to cops: In a new transparency report, Apple disclosed for the first time that it gave police around the world access to thousands of customers' push notifications, which can identify a target's device and in some cases reveal the unencrypted contents of a notification. Apple and Google were previously barred from disclosing that it gave police access to push notification data. (via 404 Media ($))
CISA top job nom dropped from hearing: Sean Plankey, the Trump administration's pick to oversee CISA, was dropped from a House hearing this week, per @timstarks. It's not an indication that Plankey isn't the nomination anymore, but apparently his FBI clearance isn't ready yet. Sen. Ron Wyden put an indefinite hold on Plankey's nomination in exchange for CISA publishing a report detailing long-running flaws in the phone networks. CISA is still without a permanent director, despite some support from the tech industry. (via @timstarks)
Italian lawmakers confirm Italy deployed spyware: Lawmakers in Italy confirmed the government there did in fact use Paragon's Graphite spyware to snoop on the phones of several activists who work to save immigrants at sea, but did not find evidence that an Italian journalist was hacked with the spyware. The very excellent @lorenzofb broke down the lawmakers' report and dished out new details on the spyware attacks. (via TechCrunch, Haaretz ($))
Hackers mass-stealing Salesforce data: Looks like financially motivated hackers (think hackers associated with the Com) are impersonating IT staff and tricking unsuspecting companies using Salesforce into stealing data from their instances using connector tools and extorting the companies. At least 20 companies have been breached across the U.S. and Europe so far, per Google's latest data. Expect to see a wave of extortion efforts, if not data breach disclosures, in the near future. (via Google Cloud, Bloomberg ($))
~ ~
THE HAPPY CORNER
You know what time it is? It's chill-o'clock in the happy corner.
This week, some great news from Censys, which found 400 exposed web-based interfaces of U.S. water facilities, and worked with the Environmental Protection Agency to secure them — including 40 of them that were entirely unauthenticated and controllable by anyone with a web browser. It shows the U.S. has a long way to go to secure its critical infrastructure, but we don't make progress unless we document and detail along the way so others can learn, too. Great work here, and a very detailed report for the geeks like me who love the nitty-gritty. (SecurityWeek has a tl;dr, too.)
In time for 🏳️🌈 Pride Month 🏳️🌈 the good folks at Privacy Guides have an incredibly detailed data privacy guide for the queer community, and has some helpful tips and things to think about in terms of protecting your privacy and securing your data.
Relatedly, a short story from @vxunderground:
And finally, this week. Enjoy this chef's kiss moment of @mcnallyofficial bypassing a lock — right out of the box — after the lockmaker claimed it wasn't possible.
If you have good news you want to share, get in touch at: this@weekinsecurity.com.
~ ~
CYBER CATS & FRIENDS
This week's cyber cat therapy pup is Zayah, who just wants to hear how you are doing today. What a good pupper! Thanks so much to Thomas A. for sending in!
Keep sending in your cyber-cats! Drop me an email with a photo and name of your cyber-cat (or non-feline friend!) and they'll be featured in a future newsletter.
~ ~
SUGGESTION BOX
And we're done! That's it for your week in security; I'll be back as you'd expect next week with all of the news you need to know from the past seven days.
As always, please do get in touch by email any time! It's great to hear from you, and I'll never say no to an extra cyber-cat (or friend) if you want to send yours in!
Until next week,
@zackwhittaker