Good Morning Security Gang
Today, we’re covering a third-party vendor breach hitting 74 U.S. banks, Freedom Mobile’s new data exposure, a massive DDoS attack peaking at 29.7 terabits per second, an Arizona lawsuit accusing Temu of spyware-like data collection, and more.
As always, I’ll break down what it means for you as a practitioner — not just another headline, but how this impacts your risk posture and your business decisions.
So grab that espresso — or two if it’s a Monday — and coffee cup cheers, y’all!
Marquis Breach Impacts 74 U.S. Financial Institutions
We kick off with a massive third-party data breach impacting 74 U.S. banks and credit unions, tied to Marquis, a marketing and analytics vendor for financial institutions.
“In the financial sector, zero room for error — your weakest vendor is your biggest exposure.” James Azar
The breach, first discovered in August 2025, exposed names, contact information, account metadata, and partial SSNs. Marquis delayed disclosure for months while cooperating with law enforcement and notifying regulators across states. Early reports suggest that the Akira ransomware gang may have been involved, though this has not been confirmed.
For financial institutions, the guidance is clear:
Treat all Marquis-connected data as exposed.
Rotate all API keys and SFTP credentials shared with the vendor.
Increase velocity limits and out-of-band authentication for account changes and wire transfers.
Enable DMARC, DKIM, and SPF to protect customers from phishing campaigns.
Community First Credit Union, one of the affected institutions, briefly posted and deleted a filing indicating Marquis had paid a ransom to prevent data leaks — a reminder that even when you’re not the one breached, your vendor decisions define your risk surface.
Freedom Mobile Confirms Customer Data Breach
Canada’s Freedom Mobile, the nation’s fourth-largest carrier with over 2.2 million customers, confirmed unauthorized access exposing contact and billing information.
While no payment card data was confirmed stolen, the real risk here lies in SIM-swapping and account takeover. Threat actors can use this information to impersonate customers and bypass two-factor authentication at banks and fintech apps.
To mitigate:
Carriers should enforce port-out PINs and disable remote SIM swaps without multi-factor confirmation.
Customers should monitor for password resets and MFA prompts linked to Freedom numbers.
Fraud teams must tune anti–SIM-swap heuristics for spikes in activity.
This is Freedom’s second data breach, following a 2019 vendor incident. In a competitive telecom market, another misstep could send customers — and revenue — fleeing.
Leroy Merlin Discloses Retail Customer Data Exposure
French home improvement retailer Leroy Merlin confirmed a breach exposing customer contact and loyalty data, including names, phone numbers, and purchase history. No financial data or passwords were taken.
While limited, this data can still fuel impersonation fraud and supplier phishing. Leroy Merlin operates in multiple countries — including France, South Africa, and Brazil — but the breach appears isolated to French systems, implying decent data segmentation.
The company is rotating vendor tokens and reinforcing login prompts for risky redemptions and refunds. Still, it’s another reminder that supply chain access and loyalty data are prime extortion targets.
Japan’s Askul Recovers After Ransomware Attack
Japanese office supply and e-commerce giant Askul is slowly recovering from an October ransomware attack that shut down ordering systems and forced customers to submit orders by fax — yes, fax.
The company has resumed partial service but continues data restoration. This attack, part of a broader ransomware wave hitting Japanese manufacturing, underscores how legacy business continuity plans (BCPs) don’t always align with modern threats.
Recovery delays are creating supply chain disruptions and permanent customer loss as buyers switch to competitors. Once again, the cost of downtime extends well beyond ransom payments.
Arizona Sues Temu for Alleged Spyware Behavior
The Arizona Attorney General has filed a landmark lawsuit against Temu, alleging that its shopping app acts as spyware, collecting far more data than needed for legitimate business purposes — including location, contacts, and even sensor data.
According to the complaint, Temu can “detect when a user visits a doctor’s office, a church, or a political event,” calling it the gravest violation of Arizona’s Consumer Fraud Act in history. Temu denies the allegations.
For CISOs managing BYOD environments, this lawsuit raises red flags.
Ban high-risk foreign apps from devices accessing corporate data.
Use MDM to isolate business data from personal use.
Enforce device attestation and risk-based access for mobile endpoints.
This case could set a new precedent for data sovereignty and privacy enforcement against overseas apps operating in the U.S.
India Drops Controversial Cybersecurity App Mandate
India’s government has reversed its decision to mandate installation of the Sanchaar Sathi cybersecurity app on all new smartphones after backlash from privacy advocates and foreign manufacturers.
The app, which allowed the government to track and disable devices remotely, was framed as an anti-fraud initiative but drew criticism for state surveillance risks.
Multinationals operating in India avoid immediate compliance headaches, but the whiplash highlights a volatile regulatory environment that could resurface with quieter implementation later.
Microsoft Patches LNK Exploit Actively Abused in the Wild
Microsoft has quietly mitigated an actively exploited LNK vulnerability (CVE-2025-9491) that allowed malicious shortcut files to execute arbitrary code simply through user interaction.
The flaw, exploited for years by multiple APTs, was identified by Trend Micro’s Zero Day Initiative (ZDI). Attackers used specially crafted .lnk files to execute malware while displaying harmless properties to users.
Admins should deploy updated Windows patches and monitor for script execution events linked to shortcut files.
Largest DDoS Attack in History Peaks at 29.7 Tbps
Cloudflare has confirmed the largest-ever distributed denial-of-service (DDoS) attack — a 29.7 terabit-per-second onslaught driven by the Asiyra botnet.
The attack combined UDP amplification and reflection, hitting 15,000 destination ports simultaneously while generating 14 billion packets per second. The scale is staggering, dwarfing the previous 22 Tbps record.
Cloudflare mitigated the event without customer downtime, but the message is clear:
DDoS volumes are escalating exponentially.
Botnets like Asiyra, composed of millions of IoT devices, are the new digital artillery.
If you’re responsible for external-facing services, it’s time to review DDoS mitigation SLAs, DNS redundancy, and upstream filtering contracts.
Chrome 143 Fixes High-Severity Exploits
Google has released Chrome version 143, patching several high-severity vulnerabilities, including a V8 JavaScript engine type confusion bug (CVE-2025-13630).
Organizations should push updates immediately, especially since remote code execution through browser exploits remains one of the easiest ways to compromise endpoints.
AI “Cloud Skills” Platform Exploited for Ransomware
Researchers have discovered that AI workflow platforms, such as Anthropic’s Cloud Skills, can be abused as ransomware delivery mechanisms.
Attackers are creating booby-trapped AI integrations that exfiltrate data or trigger unintended account actions when granted broad permissions. These malicious AI automations — essentially “rogue agents” — can act as data exfil bots or internal disruptors once embedded in enterprise systems.
Security teams should review AI skill permissions, restrict API access, and enforce scoped OAuth grants for integrations.
U.S. State Department Offers $10M Bounty for Iranian Cyber Operatives
The U.S. Department of State is offering $10 million rewards for the capture of two Iranian cyber operators tied to the IRGC’s Shahid Shustari Unit — accused of targeting U.S. elections, energy infrastructure, and businesses.
Both individuals, Fatemeh Sadeghian Kashian and Mohammad Bagher Shirinkar, are known for coordinating phishing and destructive attacks across multiple fronts. The bounty is part of a broader push to deter state-sponsored hacking through public exposure and financial incentives.
Action List
🏦 Rotate credentials and API keys for any Marquis integrations.
📱 Enforce port-out PINs and disable remote SIM swaps for mobile accounts.
🧰 Review supply-chain vendor access for retail and fulfillment systems.
🛍️ Restrict risky foreign apps from BYOD or corporate devices.
🌐 Verify Windows and Chrome patches are deployed across the enterprise.
🧠 Conduct DDoS tabletop exercises and review network redundancy.
🤖 Audit AI automation workflows for overprivileged permissions.
💣 Enable endpoint monitoring for LNK file execution and malicious scripts.
James Azar’s CISO’s Take
Today’s episode is a masterclass in third-party risk, national policy, and the convergence of AI and cyber operations. From the Marquis vendor breach to Temu’s alleged spyware behavior, we’re reminded that supply chains — both digital and political — define our exposure surface.
My biggest takeaway? The line between IT risk and geopolitical risk has fully blurred. Whether it’s a DDoS botnet or a foreign app harvesting user data, your threat landscape isn’t just technological — it’s strategic. As CISOs, we must navigate that complexity, keeping our organizations resilient amid rising regulatory pressure, AI-driven threats, and a fragmented digital world.
We’ll be back on Monday at 9 a.m. Eastern with the latest cybersecurity news. Tomorrow, Friday, we’ll be dropping our weekly summary. Saturday, part two of our article series, “How ARR Became King and How It Affected CISO Budgets.” In this portion, we dive into exactly that – how the subscription model and ARR pressure on cybersecurity vendors is really throwing CISOs out of whack in their budgeting, causing a whole bunch of headaches. So go check that out. That’s all available at cyberhubpodcast.com. Thank you all for tuning in.
Have a great rest of your day. And most importantly, y’all, stay cyber safe!
