SSL.com DCV Issues Unvalidated Certificates; Blue Shield of California Leaks 4.7M Members' Data; Verizon 2025 Data Breach Investigations Report

Certificate authority SSL.com has revoked 11 certificates after a researcher reported a bug in a domain control validation (DCV) method that would allow a user to erroneously validate their ownership of the domain of their verification email address. SSL.com allows DCV establishment via email challenge response, including validation through a DNS TXT record, but the site's implementation of this method mistakenly adds the domain name of the user's email address to their list of verified domains, allowing a user to then request certificates for that domain. Fraudulently obtained TLS certificates could be abused to create spoofed phishing sites, to decrypt HTTPS traffic and enable man-in-the middle attacks, and more. There is no evidence the now-revoked certificates issued using this bug were obtained maliciously; SSL.com has temporarily disabled this DCV process until the flaw is fixed, and will issue an incident report by May 2, 2025.

Health insurance provider Blue Shield of California has posted a notice of a data breach discovered on February 11, 2025, also disclosing in a legally required report to the US Department of Health and Human Services (HHS) that approximately 4.7 million people will be notified their data may have been exposed. No attack nor threat actor was involved: Blue Shield had been using Google Analytics "to internally track website usage of members who entered certain Blue Shield sites," and discovered that Between April 2021 and January 2024 the service "was configured in a way that allowed certain member data to be shared with Google's advertising product, Google Ads, that likely included protected health information," making this a possible breach of HIPAA compliance. Sensitive member data that may have been leaked and subsequently used in focused ad campaigns targeting members as a result include: "Insurance plan name, type and group number; city; zip code; gender; family size; Blue Shield assigned identifiers for members' online accounts; medical claim service date and service provider, patient name, and patient financial responsibility; and 'Find a Doctor' search criteria and results (location, plan name and type, provider name and type)." Social Security Numbers, driver's license numbers, and banking and credit card information were not involved. Blue Shield disconnected Google Analytics from Google Ads on its sites in January 2024, and is reviewing its sites "to ensure that no other analytics tracking software is impermissibly sharing members' protected health information." The notice encourages members to be vigilant, reviewing and protecting their accounts and credit reports.

Among the highlights of Verizon's 2025 Data Breach Investigations Report: thirty percent of breaches involved third-party entities, double the figure from the previous year; while forty-four percent of breaches involved ransomware, the number of organizations that refused to pay the ransomware demand was 64 percent, up from 50 two years ago, and the average ransomware payment was $115,000, down from last year's average of $150,000. The report data are drawn from incidents that took place between November 1, 2023 and October 31, 2024.

In 2024, the FBI's Internet Crime Complaint Center (IC3) received reports of losses incurred from cyberattacks totaling $16.6 billion, mostly from fraud and ransomware. This marks a 33 percent increase over 2023 reported losses. Deputy Assistant Director of the FBI's Cyber Division Cynthia Kaiser told reporters that the figure is not representative of total losses to cybercrime, as not all cybercrime is reported to contact law enforcement. Ransomware was the largest threat to critical infrastructure organizations. In all, IC3 received nearly 860,000 complaints in 2024.

The US Cybersecurity and Infrastructure Security Agency (CISA) has published Industrial Control System (ICS) advisories regarding vulnerabilities affecting products from Siemens, Schneider Electric, and ABB. The Siemens advisories address multiple SQL injection vulnerabilities and an improper handling of length parameter inconsistency issue in Siemens TeleControl Server Basic. The Schneider advisories address an information exposure vulnerability in Schneider Electric Wiser Home Controller WHC-5918A and an incorrect calculation of buffer size issue in Schneider Electric Modicon M580 PLCs, BMENOR2200H and EVLink Pro AC. The ABB advisory addresses multiple improper input validation vulnerabilities, an improper restriction of operations within the bounds of a memory buffer vulnerability, and an out-of-bounds write vulnerability in ABB MV Drives.

The computer systems and website of Spanish water supplier Aigues de Matar— experienced a cyberattack; the company, which oversees both drinking water and sewage systems for the town of Matar—, says that while billing and other administrative services have been disrupted, their quality control systems were unaffected by the incident. They have notified customers that their personal information may have been compromised in the attack.