CyberWire Daily - China’s largest data leak exposes billions.
Episode Date: June 5, 2025Researchers discover what may be China’s largest ever data leak. CrowdStrike cooperates with federal authorities following last year’s major software bug. A researcher discovers over half a millio...n sensitive insurance documents exposed online. Microsoft offers free cybersecurity programs to European governments. The FBI chronicles the Play ransomware gang. Google warns a threat group is targeting Salesforce customers. A former Biden cybersecurity official warns that U.S. critical infrastructure remains highly vulnerable to cyberattacks. The State Department offers up to $10 million for information on the RedLine infostealer malware. Our guest is Anneka Gupta, Chief Product Officer at Rubrik, on the challenges of managing security across systems. Some FDA workers want to put their new Elsa AI on ice. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today we have Anneka Gupta, Chief Product Officer at Rubrik, talking about organizations moving to the cloud thinking security will be handled there and the challenges of managing security across systems. Selected Reading Largest ever data leak exposes over 4 billion user records (Cybernews) CrowdStrike Cooperating With Federal Probes Into July Software Outage (Wall Street Journal) Two Decades of Triangle Insurance Documents Exposed Publicly (Substack) Microsoft offers to boost European governments' cybersecurity for free ( (Reuters) FBI: Play ransomware gang has attacked 600 organizations since 2023 (The Record) Google Warns of Vishing, Extortion Campaign Targeting Salesforce Customers (SecurityWeek) ‘I do not have confidence’ that US infrastructure is cyber-secure, former NSC official says (Nextgov/FCW) China issues warrants for alleged Taiwanese hackers and bans a business for pro-independence links (AP News) US offers $10M for tips on state hackers tied to RedLine malware (Bleeping Computer) FDA rushed out agency-wide AI tool—it’s not going well (Ars Technica) Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
And now a word from our sponsor, Spy Cloud.
Identity is the new battleground, and attackers are exploiting stolen identities to infiltrate
your organization.
Traditional defenses can't keep up.
Spy Cloud's holistic identity threat protection helps security teams uncover and automatically
remediate hidden exposures across your users from breaches, malware, and phishing to neutralize
identity-based threats like account takeover, fraud, and ransomware.
Don't let invisible threats compromise your business. Get your free corporate dark net exposure report
at spycloud.com slash cyberwire
and see what attackers already know.
That's spycloud.com slash cyberwire. Researchers discover what may be China's largest ever data leak.
CrowdStrike cooperates with federal authorities following last year's major software bug.
A researcher discovers over half a million sensitive insurance documents exposed online.
Microsoft offers
free cybersecurity programs to European governments.
The FBI chronicles the Play ransomware gang.
Google warns a threat group is targeting Salesforce customers.
A former Biden cybersecurity official warns that U.S. critical infrastructure remains
highly vulnerable to cyber attacks.
The State Department offers up to $10 million
for information on the Red Line InfoStealer malware.
Our guest is Anika Gupta, Chief Product Officer of Rubrik,
on the challenges of managing security across systems.
And some FDA workers want to put their new ELSA AI on ICE.
It's Thursday, June 5th, 2025.
I'm Dave Bittner and this is your CyberWire Intel Briefing. Thanks for joining us here today.
Great as always to have you with us.
In what may be China's largest data leak ever, over 4 billion personal records totaling
631 gigabytes were exposed from an unsecured
database.
The leak includes sensitive financial data, WeChat and Alipay information, ID numbers,
addresses, and more, potentially affecting hundreds of millions of users.
CyberNews and researcher Bob Dyachenko discovered 16 data collections containing massive databases
with hundreds of millions of records each.
The data appears to be meticulously compiled, likely for surveillance or profiling purposes.
The database was quickly taken offline, leaving no clear attribution or recourse for victims. Experts warn the data could fuel phishing, fraud, blackmail, or state-level espionage.
This leak dwarfs previous Chinese breaches and underscores the severe privacy risks at play.
CrowdStrike is cooperating with federal authorities
following the major software bug last July that knocked millions
of computers offline.
In a recent SEC filing, the company revealed that the Justice Department and SEC are investigating
the incident, as well as CrowdStrike's revenue recognition practices and reporting of annual
recurring revenue.
Other agencies and third parties have also requested information, with
some customers threatening legal action. The July 19 outage, triggered by a flaw in the
Falcon software, disrupted flights, backend systems, and user devices. CrowdStrike disclosed
the update alongside its fiscal quarter one report, showing a swing to a loss and a weaker outlook
due to ongoing costs from the incident.
Shares dropped 5.3% following the news, though the stock remains up 35% over the last year.
Last month, researcher JLT discovered a misconfigured cloud server exposing over 571,000 sensitive insurance
documents belonging to Triangle Insurance in the U.S.
The records, dating from 2006 to April 2025, included health claim forms, declaration pages,
and decision letters.
Despite an initial email alert sent on May 8, Triangle didn't respond, likely due to
spam filters.
The researcher then enlisted the help from at pogowasright at databreaches.net, who successfully
contacted the company on May 12.
The exposure was secured by the following day.
Triangle's COO later confirmed the fix and
thanked the researcher. The company is now investigating the issue with its software
vendor, has notified its regulator, and may inform affected individuals depending on findings.
The server had been exposed since at least July 2021.
Microsoft has launched a free cybersecurity program
for European governments to strengthen defenses
against AI-powered cyber threats,
many linked to state-backed actors from Russia, China,
Iran, and North Korea.
The initiative focuses on improving intelligence sharing
and preventing attacks.
Microsoft President Brad Smith emphasized using AI defensively,
noting tools can still detect AI-driven threats.
Microsoft also monitors the use of its AI to block cybercriminals.
Notable recent threats include deepfakes targeting Ukraine's president
and Slovakia's 2023 election.
Since emerging in 2022, the Play ransomware gang has hit over 900 organizations, making
it one of the most dangerous active cybercrime groups, according to a new FBI advisory.
This is a sharp rise from 300 attacks reported in its first year.
The group targets organizations across the Americas
and Europe often using email or phone threats to pressure victims into paying ransoms.
Play frequently exploits flaws in the Simple Help remote monitoring tool and customizes
its ransomware for each attack to evade detection.
High-profile victims include cities like Oakland and Dallas County and even the Swiss government.
The FBI also noted possible links between Play and North Korean hackers, suggesting
collaboration in some breaches.
The group remains highly active, especially against U.S.-based organizations. Google has warned that threat group UNC 6040 is
targeting Salesforce customers in a widespread voice phishing and data
extortion campaign. The group impersonates IT support staff in phone
calls, tricking employees into approving access for a modified Salesforce data
loader app. This unauthorized tool allows
attackers to exfiltrate sensitive data, which is later used for extortion. Around 20 organizations
across sectors like education, retail, and hospitality in the Americas and Europe have
been hit.
UNC 6040 often leverages social engineering alone. No Salesforce vulnerabilities were exploited.
Once inside, they move laterally to platforms like Microsoft 365 and Okta.
The group claims ties to shiny hunters and shows overlap with tactics used by the COM collective,
including Scattered Spider.
Google highlights this as part of a rising trend
of attackers targeting IT support roles for initial access.
At the AI Expo for National Competitiveness, former Biden cybersecurity official Anne Newberger
warned that U.S. critical infrastructure remains highly vulnerable to cyber attacks. She said, I do not have confidence that any part of our infrastructure couldn't be brought down,
citing outdated tech, Internet-exposed systems, and weaker defenses for operational technology.
Neuberger emphasized using AI to identify flaws in legacy systems, including through
digital twins, for testing.
She also stressed the importance of allied intelligence sharing, referencing past cooperation
with Israel and Asian partners on threats like election interference and North Korean
crypto theft.
Now a Stanford lecturer, Neuberger called ongoing federal cyber staffing cuts troubling, but sees AI as a chance to
rethink cyber defense, focusing on patching the most critical vulnerabilities before adversaries
like China or Russia exploit them.
The U.S. State Department is offering up to $10 million for information on foreign government-backed hackers using the Red Line InfoStealer malware
or on its suspected creator, Russian national Maxim Alexandrovich Rudamatov.
This reward, part of the Rewards for Justice program, targets individuals involved in cyber
attacks against U.S. critical infrastructure.
Rudamatov, charged in October, allegedly managed Redline's infrastructure and laundered payments
via crypto.
The reward also applies to any associates or state-linked use of the malware.
Redline and MetaMalware platforms were disrupted during Operation Magnus, a joint international
effort involving Dutch authorities and Eurogest,
leading to server seizures and arrests.
ESET helped map 1,200 related servers and released a tool for detecting infections.
Rudamitov remains at large and faces up to 35 years in prison if convicted.
Coming up after the break, my conversation with Anika Gupta from Rubrik.
We're discussing the challenges of managing security across systems, and some FDA workers
want to put their new ELSA AI on ice.
Stick around.
Compliance regulations, third-party risk, and customer security demands are all growing
and changing fast.
Is your manual GRC program actually slowing you down?
If you've ever found yourself drowning in spreadsheets, chasing down screenshots, or
wrangling manual processes just to keep your GRC program on track, you're not alone.
But let's be clear, there is a better way.
Banta's Trust Management Platform takes the headache out of governance, risk, and
compliance. It automates the essentials, from internal and third-party risk to consumer
trust, making your security posture stronger, yes, even helping to drive revenue.
And this isn't just nice to have. According to a recent analysis from
IDC, teams using Vanta saw a 129% boost in productivity. That's not a typo, that's real
impact. So, if you're ready to trade in chaos for clarity, check out Vanta and bring some serious efficiency to your GRC game. Vanta.
GRC.
How much easier trust can be.
Get started at vanta.com slash cyber.
Anika Gupta is Chief Product Officer at Rubrik.
I caught up with her recently to discuss the challenges of managing security across systems.
Well, I think what we can see is that over the past 10 years, as people have gone from
being predominantly in data centers to adopting a lot more cloud and SaaS applications within
their infrastructure story, that what this has meant is that the number of services
that they're using, the number of applications,
and where all of the data that they have within their
organization, whether it's their own internal data
or their customer's data, is living in so
many different places.
An average organization uses over 100 SaaS applications.
They might be leveraging multiple public clouds.
They likely have multiple data centers
if they have any on-premise footprint.
And so when you put all of that together,
trying to understand the lay of the land
and even knowing and having visibility
into where are your applications and where is your data
becomes an overwhelming challenge for most organizations.
Well, can we dig into that some? I mean, what are some of the specific perils that you see organizations facing when it comes to this?
Yeah, I mean, certainly from a cyber risk and cybersecurity standpoint, one big challenge is that you have so much data and you have so many applications living in so many different places.
And when you're looking at the risk to your organization of an attacker getting to your valuable assets,
getting to your tier zero, tier one applications, a big question is,
well, how do I even know where's my sensitive data?
How do I even know what are all the components that make up a Tier 0 or Tier 1 application.
And the answers to those questions are actually very,
very difficult to answer.
Often what organizations are doing is they're looking for,
they have an internal, essentially program manager
going to a bunch of different business leaders and saying,
hey, what is your most important application?
And then trying to reverse engineer, well, okay,
does that application have data, sensitive data in it?
What are all the components that are building up
that application?
And that's just a really challenging situation.
What we can see is as a result,
organizations are having a lot of challenges
managing cyber attacks and breaches.
In a recent report we did and research we did,
we found that one third of companies
have been forced to make leadership changes as a result
of cyber attacks and breaches.
And at the same time, they've increased their security
spending by 40%.
So people are spending more and yet getting
breached more often.
And a lot of this is having to do with, hey, I can't manage this infrastructure
that I now have across my organization and manage the data that sits within that
and understanding what's sensitive and what's super high priority.
I guess, I mean, it's fair to say that nobody sets out to lose control of this, right?
Everybody has best intentions.
And then is it typically a matter of the team waking up one day
and saying, hey, gang, we've got a problem here?
I don't think it's a one day you wake up and say, hey,
I think I have a problem.
I think it's just the result of running a business.
The reality is is that businesses have to grow.
They have to make money.
They have to innovate. And have to make money. They have to innovate.
And when you have multiple business leaders
and multiple R&D organizations and your IT organization,
everyone trying to innovate,
they're trying to use best of breed solutions
and best of breed tools and applications
in order to move faster and deliver business results.
So it's just the fact of doing business.
And I think security teams for a long time
have recognized well, and have been anxious
about the fact that they're giving up control
and that they don't know what's going on
in their environment.
And as people move to the cloud,
you have developers that are just sometimes
just spinning up instances without using a golden image
or doing a ton of things that are not best practices
because they're trying to move fast and people are trying to be malicious.
They're just trying to do their jobs faster and faster and AI is only going to
exacerbate that even further where people are using AI because it's a great
productivity boost.
So people are trying to find the best tools, the best mechanisms to do their work
better and to deliver those business results.
And that's just meaning that over time, the tools for visibility and just haven't been able
to keep up with the amount of innovation
and sprawl that's happening within organizations.
Are there common mistakes that you see people making
as they try to get this under control?
Yeah, I mean, I think one is just say like,
and I wouldn't say this is like necessarily super comics.
I think every security leader is trying to do something,
but I think some people are also feeling like,
well, you know, is this my highest priority thing?
Is it getting visibility across my applications and data?
Is that my highest priority issue?
Or is it just trying to mitigate the active attacks
that are happening to me right now?
And I think that's a real trade-off
that some organizations have to make based on resources,
both people resources, as well as technology, budget, et
cetera.
So I think there are some organizations that are not
saying, hey, how do I lay the foundation which
starts with visibility and understanding
your applications, understanding where
does your sensitive data live,
and being able to classify that so you can protect
your most valuable crown jewels
and not have to worry about every single alert
that's emerging and trying to mitigate that,
especially if it's against something
that isn't super important to your organization.
I mean, you still have to go do all of that work too,
but I think a lot of teams get caught in the reactive mode
and not enough in the, hey, what can I do proactively to give
myself more visibility so I can be better prepared for the
future? And where do I lack visibility? People lack
visibility all over the place. So how do you decide what you
invest in first to like give you the visibility that you need in
your organization? And I would argue that having visibility
into your sensitive data and your sensitive applications
is super, super important building block.
It's also really hard to do.
So often folks don't invest enough in it
because it's a big initiative to go after.
Well, when you say visibility,
how do you specifically define that?
I think like understanding, for instance, if you're a, let's say you're a financial institution,
understanding in the course of your business, what are your most important applications
that you just cannot afford to be down because it would actually just completely break your
organization or cause you massive regulatory issues.
That's one. Then being able to understand,
well, for my organization,
what is the data that is most important and
most sensitive and confidential, again,
maybe because it's related to your customers or because
of regulatory issues that may emerge if
that data is breached or lost in some way.
And if you can understand both of those things of, hey,
I know what my applications look like that are my most
important.
So for banking, it's probably the core banking application.
It's the core way that they manage money transfers
across accounts in and out of the bank.
Those are the things that are going to be the absolute critical applications.
And then the data might be their customers' personal information and
their customers' financial information.
That might be their most critical asset because that's the thing that if it gets
breached or lost, it's a massive, massive risk to the organization.
So I think leaders have to take this approach of, for my organization, where does my highest
risk lay, both in terms of the applications themselves and the data?
And then how do I get visibility into this on an ongoing basis of how do I identify these
critical applications?
And then how do I identify where does critical customer data live so that you can
on ongoing basis monitor that making sure that critical customer data isn't going into a dev
instance or isn't getting exposed to public IPs on the internet things like that that are very
critical to manage in order to ensure that you protect those credentials. For someone who's ready
to go down this path what sort of advice do you have for them,
specifically in terms of how disruptive this is going to be or not as they begin the process?
So I think as with any change, you have to think about both as a leader, you have to
think about both the people, the process, and the technology that's going to be involved
in making this change.
So from a people perspective, like who are you going to allocate to making this successful?
How are you going to make sure that the key business leaders are brought along with this?
Because it's not like IT or security can go do this effort in a vacuum.
They need the cooperation of the business leaders across the organization.
They need to figure out how can, like why are they doing this effort? How do. They need the cooperation of the business leaders across the organization.
They need to figure out how can, like, why are they
doing this effort?
How do they articulate the why?
How do they articulate the risk to the organization
and how they're trying to mitigate those risks by going
down and doing these efforts?
I think from a process perspective, really,
like, you can't boil the ocean in this.
Like, you have to figure out, where do I get started?
And maybe you get started with one application,
one type of data, and really get a good handle on what
is it going to take to not only just create
this like kind of catalog once, but how are you
going to do this on an ongoing basis
and maintain it for one subset of use
cases within your organization.
And then you expand that over time,
and you get coverage of more applications,
more types of data, more footprints,
so that you're able to continuously get better,
because it really is going to be a journey.
And then from a technology perspective,
really looking at what are solutions
that can serve your organization best,
knowing that most organizations, again, have applications and data sitting across on-prem,
cloud, and SaaS.
So can you buy a technology that's not just a point solution for one type of application
in your organization or one type of use case, but buy something that's going to take you
on that, that's going to be on that journey with you, that's going to give you centralized management and
visibility no matter where your applications are,
where your data is.
Making those technology choices and
the right technology choices early is really going to
help be an accelerant for both the people and process. from Rubrik.
And finally, in what could be described as the FDA's leap into the future, or a fast-forward stumble, the
agency has rolled out ELSA, a generative AI tool built to make government work more high-tech
and, ideally, less glacial.
Heralded as the dawn of a new AI era, ELSA is supposed to help everyone from scientific
reviewers to inspectors whip through data
and spot health risks faster than a caffeine-fueled intern.
But according to FDA insiders, Elsa might be better suited to writing office memos than
evaluating life-saving drugs.
The system, based on Anthropix Claude and developed by Deloitte to the tune of $28.5 million, has already
been caught spouting inaccuracies and offering partial truths, which to be fair is kinda on
brand for Washington.
Staff have labeled it rushed, buggy, and more hype than help.
Still, the FDA insists it's secure and promising.
Just maybe keep ELSA away from clinical decisions for now. And that's the CyberWire.
For links to all of today's stories, check out our daily briefing at the cyberwire.com.
We'd love to hear from you.
We're conducting our annual audience survey to learn more about our listeners.
We're collecting your insights through the end of summer.
There's a link in the show notes.
Please take a minute and check it out.
N2K's senior producer is Alice Carruth.
Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original music and sound design by Elliot Peltsman.
Our executive producer is Jennifer Iben.
Peter Kilpey is our publisher.
And I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Hey everybody, Dave here.
I've talked about DeleteMe before, and I'm still using it because it still works.
It's been a few months now and I'm just as impressed today as I was when I signed
up.
DeleteMe keeps finding and removing my personal information from data broker sites, and they
keep me updated with detailed reports so I know exactly what's been taken down.
I'm genuinely relieved knowing my privacy isn't something I have to worry about every
day.
The Delete Me team handles everything.
It's the set it and forget it piece of mind.
And it's not just for individuals.
Delete Me also offers solutions for businesses, helping companies protect their employees'
personal information and reduce exposure to social engineering and phishing threats.
And right now, our listeners get a special deal, 20% off your DeleteMe plan.
Just go to joindeleteeme.com slash n2k and use promo code n2k at checkout.
That's joindeleteeme.com slash n2k, code n2k.