CISO Intelligence
Source: Security Affairs · Category: Security News — Technology Fortinet patched critical CVE-2026-44277 (improper access control) in FortiAuthenticator and FortiSandbox allowing remote code execution. Law firms using Fortinet FortiAuthenticator or FortiSandbox must patch immediately to prevent account compromise and sandbox bypass. → Read the full article
CISO Intelligence
Source: Risky Business News · Category: Supply Chain Damaging worm discovered in npm package ecosystem. Law firms using Node.js dependencies (internal tools, client tech stacks) face supply chain risk. Audit firm's npm dependencies and client-supplied code for worm signatures; coordinate with development teams. → Read the full article
CISO Intelligence
Source: DataBreaches.net · Category: Regulatory & Legal UK Information Commissioner's Office fined South Staffordshire Water £963,900 for cybersecurity failures leading to 2020–2022 breach exposing personal data. Signal: UK ICO enforcing security standards retroactively and heavily. Firms advising UK water/utilities clients should review incident response and
CISO Intelligence
Source: Hackread · Category: Supply Chain TeamPCP used Mini Shai-Hulud self-propagating worm to hijack OIDC tokens and poison 400+ npm and PyPI packages (TanStack, Mistral AI, UiPath). Law firms relying on these open-source dependencies or advising software clients must audit package versions and rebuild any internal tools using affected libraries. → Read
CISO Intelligence
Source: CyberScoop · Category: AI Security Fake identity fraud driven by AI projected to cause $40B in losses next year; static defenses insufficient. Law firms must assess AI-driven identity theft and fraud risk to firm operations (client impersonation, attorney credential spoofing) and recommend adaptive, AI-enabled detection to clients. → Read the full
CISO Intelligence
Source: BleepingComputer · Category: Security News — Technology Two unpatched Windows vulnerabilities (YellowKey BitLocker bypass, GreenPlasma privilege escalation) with public proof-of-concept released. Law firms use Windows extensively for endpoint security; these flaws compromise encrypted drives and system access controls. Coordinate with IT to prioritize patches and assess data protection posture on firm
CISO Intelligence
Source: CyberScoop · Category: AI Security Claude Mythos and GPT-5.5 broke all benchmark forecasts for autonomous cyberattack capability; researchers uncertain if this is temporary spike or new baseline. Law firms must assume AI-assisted attacks are now significantly more sophisticated than prior models predicted; reassess incident response and threat detection adequacy.
CISO Intelligence
Source: Help Net Security · Category: AI Security Non-human identities (AI agents, service accounts) are increasingly granted persistent, unaudited administrative access with no clear owner or access reviews. As law firms deploy AI tools for document review, research, and case management, uncontrolled NHI privileges pose confidentiality and privilege waiver risks; urgent
CISO Intelligence
Source: Help Net Security · Category: Security News — Technology Microsoft's agentic security system (MDASH) discovered 16 vulnerabilities in Windows networking/authentication, including 4 critical RCEs (CVE-2026-40361, CVE-2026-40364). AI-powered vulnerability discovery by Microsoft; critical Windows flaws likely requiring rapid patching. Firm must assess Windows environment exposure and patch timeline; clients
CISO Intelligence
Source: HIPAA Journal · Category: Ransomware & Breach Rhode Island finalized $12 million settlement with Deloitte Consulting over RIBridges cyberattack. Major professional services firm breach affecting government systems; demonstrates regulatory enforcement appetite and settlement scale for large vendor incidents. Relevant to firm's clients engaging big consultancies and government contracts.
CISO Intelligence
Source: DataBreaches.net · Category: Ransomware & Breach Instructure and PowerSchool breaches affecting schools drawing Congressional and DHS attention; Navigate360 breach data exposure still unclear. Client notification: school districts and parents must be notified per state breach laws (30–90 days typical). If firm represents K–12 or higher-ed clients, advise
CISO Intelligence
Source: DataBreaches.net · Category: AI Security Community Bank self-reported to SEC that it uploaded customer data into an unauthorized AI application. Critical: internal compliance failure; filed 8-K disclosure. Implications for firm: review which employees have access to customer/confidential data and which AI tools are approved; unauthorized AI use is