Good Morning Security Gang
We’re wrapping up the first week of the year — and I’ll tell you what, this week has been relentless. Every day has brought something new, and today’s no exception.
We’ve got a Spanish airline denying a new breach, an Illinois state agency leaking 700,000 resident records, and the UK government’s new Cyber Action Plan shaking up how nations might handle cybersecurity going forward. We’ll also talk about Australia’s anti-scam framework, a Chinese cyber scam kingpin’s arrest, VMware ESXi exploitation, a Chrome extension stealing AI chats, and a critical JS PDF flaw. And yes — BlackCat’s back, with a nasty new SEO poisoning trick.
So grab that espresso — mine’s a perfect double Lavazza with crema today — coffee cup cheers, y’all! Let’s get into it.
Iberia Airlines Says ‘New’ Breach Is Just Old News
Spanish national carrier Iberia Airlines pushed back on claims of a “new” data breach, saying the data currently circulating online comes from the November 2025 incident it already disclosed and contained.
Threat actors are repackaging old data and reselling it as fresh leaks — a tactic we’ve seen repeatedly this month. As I said on air:
“Threat actors dabble in crime, not truth. Every time they rehash old data, it’s not a hack — it’s a hustle.”
The repackaged dump could still harm customers through loyalty fraud and refund scams, so Iberia customers should:
Reset passwords and enable MFA.
Monitor loyalty point balances for unusual activity.
Step up risky login monitoring and credential stuffing defense across booking portals.
The takeaway? Even if it’s “old” data, the reputational hit for companies doesn’t fade — because the criminals keep resurrecting it.
Illinois State Agency Exposes 700,000 Residents’ Data
The Illinois Department of Human Services (IDHS) confirmed a data exposure impacting 700,000 residents, including 672,000 Medicaid and Medicare Savings Program participants.
Early indicators suggest this was a misconfiguration, not a hack — but the exposed records could still fuel identity theft and benefits fraud, especially since the agency manages welfare and health data.
As I said on the show:
“Misconfigurations aren’t harmless — they’re doorways left open by neglect. And taxpayers always end up paying the bill.”
IDHS must now conduct asset inventories, access reviews, and key rotations, with object-level logging and MFA for all admins. It’s another example of government agencies treating cybersecurity as an afterthought — until citizens bear the consequences.
UK Government Cyber Action Plan: Centralization with Consequences
The UK government’s new Cyber Action Plan is out — and it’s bold. Released January 6th, the plan calls out government cyber risk as “critically high” and admits legacy systems and decentralized ownership have failed.
The UK wants to build a centralized cyber command structure, with mandatory standards, measurable milestones, and real funding. It’s modeled partly on CISA but gives more direct power to the new Government CISO.
In my take:
“The Brits finally said what no one else will — that fragmentation, not hackers, is the biggest threat to government cybersecurity.”
But there’s a tradeoff. Centralization can create resilience, or bureaucratic paralysis. The UK’s model works only if its leadership is competent — because, unlike the U.S.’s federated approach, this one lives or dies by the person in charge.
The UK optimizes for control and execution; the U.S. for scale and adaptability; the EU for consistency; and Israel for speed. Singapore? Precision. But every model has tradeoffs — and the UK’s may prove to be the most daring experiment of 2026.
Australia’s Anti-Scam Framework Draws Fire
Australia rolled out its new National Anti-Scam Framework, but critics argue it leaves too many gaps, especially around key financial rails and certain online platforms.
The framework sets out roles for regulators, banks, and telecoms — but still relies heavily on voluntary compliance. It’s a good start, but far from airtight.
My advice for organizations:
Treat the framework as a floor, not a ceiling.
Implement enterprise-side holds on suspicious transactions.
Enforce beneficiary change callbacks and brand abuse takedowns.
This one’s more PR than policy. As I said bluntly: “If regulation moves slower than the scammer, it’s not regulation — it’s decoration.”
Chinese Scam Kingpin Arrested and Extradited
Authorities in Cambodia arrested Chen Zhi, head of the Prince Group — a conglomerate accused of running massive scam call centers, human trafficking operations, and crypto laundering networks worth over $15 billion.
Chen was extradited to China rather than the U.S. or UK, keeping the case inside Beijing’s legal jurisdiction. Western intelligence sources believe this is less about justice and more about damage control, since Chinese officials were allegedly tied to the same scam syndicates.
As I said: “China’s cleaning house in public, but make no mistake — this was a cover-up dressed as cooperation.”
VMware ESXi Exploit Toolkit Targets Legacy Servers
A new turnkey exploit kit is spreading rapidly among attackers targeting unpatched VMware ESXi servers.
The toolkit chains old CVEs with weak management exposures to deploy ransomware or steal credentials from unsegmented environments.
Admins should:
Patch ESXi to supported builds.
Hide vSphere and vCenter behind VPNs and IP allowlists.
Rotate datastore credentials and alert on sudden snapshot or encryption bursts.
As I said on air: “ESXi is the crown jewel of compute — treat it like it.”
Chrome Extension Stealing AI Chats Hits 900K Installs
A malicious Chrome extension called AI Helper with over 900,000 installs was caught stealing AI-generated chat logs, tokens, and user data.
This means intellectual property, code snippets, and even confidential deal drafts pasted into AI tools were being exfiltrated in real time.
To mitigate:
Restrict corporate Chrome to an allowlist.
Ban unsanctioned AI extensions.
Adopt enterprise AI tenants with DLP and retention policies.
As I reminded listeners: “If you’re pasting code or contracts into a web UI, you’re not chatting — you’re leaking.”
Critical JS PDF Flaw Enables Secret Data Theft
A critical flaw in JS PDF, the open-source library used to generate PDFs, lets attackers embed malicious JavaScript that steals secrets and tokens when opened.
Developers should:
Upgrade JS PDF to the latest version.
Add Content Security Policy (CSP) headers.
Sandbox untrusted PDFs in isolated viewers.
Treat inline PDFs as executable content — because they are.
OwnCloud Urges MFA After Credential Thefts
After multiple credential theft incidents, OwnCloud is now urging users to enable phishing-resistant MFA, rotate admin keys, and restrict admin panels behind VPN or IP allowlists.
This one’s long overdue. It’s good advice, but it shouldn’t have taken a breach wave to get here.
BlackCat/AlphaV Launch SEO Poisoning Malware Campaign
The BlackCat ransomware gang (also known as AlphaV) is using SEO poisoning to lure victims. Search results for popular software now lead to Trojanized installers that infect admins and power users.
To defend:
Block ads of unknown origin.
Download only from verified publisher stores.
Deploy EDR tuned for PowerShell and LOLBin abuse.
As I said: “If ransomware gangs are buying Google Ads, maybe the problem isn’t security — it’s marketing.”
Action List
✈️ Audit loyalty systems for fraudulent redemptions and enable MFA on customer accounts.
🏢 Scan cloud storage for public misconfigurations — enforce object logging and admin MFA.
🇬🇧 Study the UK’s Cyber Action Plan for lessons in centralization versus resilience.
🇦🇺 Go beyond the anti-scam baseline — deploy transaction holds and brand abuse detection.
🇨🇳 Track Chinese-linked scam arrests for insight into cross-border fraud tactics.
💾 Patch ESXi, hide vCenter, and monitor snapshots.
🧩 Whitelist Chrome extensions and disable unsanctioned AI plugins.
📰 Update JS PDF and sandbox all PDF rendering.
🔑 Enforce MFA across OwnCloud and other collaboration tools.
🚫 Block SEO-malware ads and train users to verify installers.
James Azar’s CISO’s Take
Today’s episode captures the global picture — the same old weaknesses, just repackaged: recycled breaches, government misconfigurations, and centralization gambles. From Iberia’s recycled data leak to Illinois’ exposed records, it’s clear that operational maturity still lags far behind compliance checkboxes.
My biggest takeaway? 2026 is the year of data déjà vu. Old data, old flaws, old frameworks — and new consequences. The UK is at least facing that reality with brutal honesty. But for everyone else, this is the time to double down on hygiene, visibility, and leadership. Because cyber resilience isn’t built on new buzzwords — it’s built on doing the basics better than the attackers.
Stay sharp, stay caffeinated, and as always — stay cyber safe.
