Good Morning Security Gang
Merry Christmas Eve, y’all! The background’s looking Christmassy, the coffee’s strong, and we’ve got a busy news day before the holiday break.
Today, we’re covering Aflac’s massive 22 million–person breach, an insider data theft at Shinhan Card, Nova Scotia Power’s heavily redacted incident report, the FCC’s new foreign drone ban, and a MongoDB vulnerability that needs patching before you unplug for Christmas. We’ll also dive into the DOJ’s takedown of a fake bank ad ring, Italy’s $116M fine against Apple, and ServiceNow’s $7.75B acquisition of Armis.
Grab that espresso — I’m sipping a double this morning with perfect crema — and let’s roll!
Aflac Breach Impacts 22 Million Individuals
Aflac confirmed that 22.7 million customers, agents, employees, and beneficiaries were affected in a June 2025 breach, exposing claims data, Social Security numbers, and personal information
The company said no ransomware was involved, but the identity blast radius is enormous, and regulators estimate at least 2 million Texans were impacted. The incident has been linked to Scattered Spider, given its signature targeting patterns.
As I said on the show: “A breach of this scale turns claims and contact systems into open doors for fraud — so monitor for redirected payouts and credential resets like your business depends on it, because it does.”
Shinhan Card Insider Leaks Merchant Data
Shinhan Card, one of South Korea’s largest financial firms, confirmed an insider attack after an employee at a sales branch exfiltrated merchant data to a recruiter. The leak impacted 192,000 merchants, including 180,000 phone numbers and 8,000 records with full names and contact info
This wasn’t a breach — it was a failure of least privilege and data segmentation. No salesperson should have had that much access.
"Why would an employee at a sales branch have access to all your data? There's no logical reason for it. None, none whatsoever... That's not a data breach. That's an insider attack because you didn't segment your data... You need access to what you need to do your job based on your job description." James Azar
If you’re a CISO, it’s time to revisit role-based access controls and enforce just-in-time permissions for anything involving customer or merchant data.
Nova Scotia Power Cyberattack Report Released
Months after the Nova Scotia Power breach, the company has released its long-awaited incident report, revealing just how disruptive the attack was. While OT systems stayed operational, IT systems — email, scheduling, and vendor access — came to a standstill, delaying maintenance and vendor payments
The report — heavily redacted — shows how administrative dependencies cripple resilience even when physical systems remain safe. As I said: “Paperwork and IT chaos can stop a utility cold — ransomware doesn’t have to touch a turbine to hit your bottom line.”
Key takeaways:
Segment IT and OT networks.
Gate vendor access behind VPNs, MFA, and IP allowlists.
Keep offline gold images for engineers.
Rehearse manual workflows for dispatch and operations.
FCC Bans Foreign-Made Drones and Components
The FCC has officially banned foreign-manufactured drones and components, particularly from China, citing national security concerns
This decision will immediately impact public sector and regulated industries using UAVs for inspections, mapping, and infrastructure monitoring. Organizations must inventory their drone fleets, replace banned components, and plan procurement shifts after the holidays.
This aligns with the National Defense Authorization Act (NDAA), closing loopholes on imported hardware in sensitive U.S. infrastructure.
MongoDB Critical Vulnerability Patched
A critical MongoDB vulnerability was disclosed and patched this week — a memory leak bug allowing unauthenticated access to sensitive data when zlib network compression is enabled.
The fix is available in versions 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, and 4.4.30. If you can’t patch immediately, disable zlib compression and use Snappy or ZSTD as a workaround.
Patch before you head out for Christmas, or risk coming back to a breached database.
AI Bot Attack Cripples Chinese Livestream Platform
Chinese streaming platform Kuaishou, a rival to TikTok, was hit by an AI-driven bot flood that launched 17,000 illicit livestreams in just 90 minutes, overwhelming human moderators and forcing a complete shutdown of its live section
This is a terrifying look at automated abuse at scale — what happens when AI creates content faster than human teams can moderate. As I warned: “Your AI is only as strong as your guardrails. We’re entering an era where it’s your AI versus theirs.”
"Imagine this happening in your environment where your SOC has to manually open these tickets, and your SOC's manually opening tickets while AI is generating stuff that's happening a thousand times a minute. Humans can't keep up... That's the world we're heading to because as attackers start to really build AI tools, humans can't keep up. So we have to have our own AIs to defend it."
Platforms must build velocity caps, risk-based gating, and AI-assisted moderation to survive the next wave of automated exploitation.
DOJ Takes Down $14.6M Fake Bank Ad Ring
The U.S. Department of Justice seized the adspanel.org domain used in a bank credential theft campaign, which spoofed legitimate bank ads on Google and Bing to steal login credentials
The scammers lured victims through fake sponsored search results, leading them to counterfeit bank websites. The DOJ confirmed $14.6 million in verified losses and at least $28 million in attempted thefts.
If your company buys digital ads — verify your brand’s ad supply chain. Threat actors are laundering trust through the same ad networks your marketing team uses.
Italy Fines Apple $116 Million for Privacy Violations
Italy’s antitrust regulator has fined Apple $116 million for self-preferencing and deceptive tracking practices in its App Tracking Transparency (ATT) feature.
While third-party developers must ask permission to track users, Apple’s own apps reportedly bypass those restrictions, collecting behavioral data directly.
I’m not usually one to cheer regulators, but as I said: “If your privacy policy has an asterisk for yourself, that’s not privacy — that’s privilege.”
Apple plans to appeal, but this may reshape ATT enforcement across the EU.
ServiceNow Acquires Armis for $7.75 Billion
ServiceNow is entering the cybersecurity big leagues with its $7.75 billion acquisition of Armis, the leading IoT and OT security platform
This is a major consolidation play — bringing OT, IoT, and medical device visibility directly into ServiceNow’s enterprise workflows and AI-driven SOC capabilities.
Armis abandoned its IPO plans in favor of this acquisition, signaling how security platforms are converging into end-to-end ecosystems.
As I said on the show: “ServiceNow just bought its way into the SOC. Now it has to earn the trust to stay there.”
Action List
🧾 Monitor for fraud tied to Aflac’s breach — claims, redirects, and credential resets.
🧍♂️ Audit access controls and apply least privilege for all sales and customer-facing roles.
⚙️ Segment IT/OT networks and rehearse manual continuity processes.
🚁 Inventory and replace banned UAV components to meet FCC compliance.
💾 Patch MongoDB to the latest version or disable zlib compression.
🤖 Deploy AI-assisted moderation and velocity controls to counter automated bot ops.
🏦 Verify ad domains and monitor for spoofed bank or login pages.
🍏 Review privacy frameworks for consistency and transparency.
💼 Track ServiceNow–Armis integration for potential supply chain and SOC implications.
James Azar’s CISO’s Take
Today’s stories highlight the collision between data sprawl, insider access, and regulatory scrutiny. From Aflac’s mass data exposure to Shinhan’s internal leak, we’re reminded that visibility without control is an illusion. Add AI-driven bot floods and new supply chain bans, and the cybersecurity landscape looks like an orchestra where every section’s playing a different song.
My biggest takeaway? Resilience is now an ecosystem play. Between ServiceNow’s acquisition of Armis and MongoDB’s race to patch, collaboration between IT, compliance, and security isn’t optional — it’s survival. So before you unplug for the holidays, patch your systems, lock your access, and give your SOC the gift of visibility.
Merry Christmas to everyone celebrating. I hope you get to enjoy your time with your families and loved ones. And no matter what, the holiday season is about being kind to others and helping others.
Stay festive, stay alert, and as always — stay cyber safe.
