Cyber Security Headlines: ‘Mudge’ joins Rapid7, Meta fined $400 million, GDPR costs Coinbase $100 million

‘Mudge’ joins cybersecurity firm Rapid7

Peiter ‘Mudge’ Zatko, the prominent computer security expert who blew the whistle on Twitter  last year over alleged security issues, is joining the cybersecurity firm Rapid7. Zatko will advise Rapid7’s executive team and customers in a part-time role. Mudge will report directly to the company’s chief executive officer, Corey Thomas, who called Zatko’s extensive experience “invaluable.”


Meta fined $400 million by European regulator

Ireland’s Data Protection Commission (DPC) has fined Meta €390 million (about $413 million) after years-long inquiries into Facebook’s and Instagram’s data processing operations. The DPC ruled Meta to be in violation of the European Union’s General Data Protection Regulation (GDPR), for failing to inform users how their personal data was being used. The ruling exposed a disagreement amongst European regulators about how to enforce GDPR. Initially the fines proposed by the DPC were much lower but were raised upon orders from the European Data Protection Board (EDPB).

(The Record)

Coinbase strikes a $100 million deal with regulators

The publicly traded crypto exchange, Coinbase, will pay $100 million for violating New York state laws. The New York State Department on Financial Services found that Coinbase’s compliance program failures made it “vulnerable to serious criminal conduct, including, among other things, examples of fraud, possible money laundering, suspected child sexual abuse material-related activity, and potential narcotics trafficking.” Wednesday’s announcement comes amidst mounting pressure on regulators to monitor crypto exchanges in the wake of the November collapse of FTX. Coinbase will pay $50 million in penalty fees to the state, and another $50 million to ramp up its compliance program. 


Nearly 20 car manufacturers potentially exposed PII

In November, researchers discovered significant API vulnerabilities in the technologies of well-known vehicle brands, including BMW, Roll Royce, Mercedes-Benz, Ferrari, Porsche, Jaguar, Land Rover, Ford, KIA, Honda, Infiniti, Nissan, Acura, Hyundai, Toyota, and Genesis. The flaws could allow a threat actor to unlock, start and track cars as well expose personal information of customers. The most severe API flaws were found in BMW and Mercedes-Benz, which could allow attackers to access internal systems. Ferrari also suffered from poorly implemented SSO on its CMS, exposing backend API routes and making it possible to modify and delete any Ferrari customer account, manage their vehicle profile, or set themselves as car owner. The impacted vendors have fixed all issues so they are no longer exploitable.

(Bleeping Computer)

And now a word from our sponsor, AppOmni 

Did you know that over half of companies have sensitive SaaS data exposed on the public internet? And many breaches making headlines now involve SaaS apps? AppOmni can help.

AppOmni identifies misconfigurations and guides remediation to keep your SaaS data secure. We help Security teams make sense of data access permissions, third party app visibility, and threat detection across their entire SaaS ecosystem. Get started at

Flipper Zero phishing attacks target infosec community

A new phishing campaign is exploiting the security community’s growing interest in a hacking tool called Flipper Zero. Flipper Zero is a pen-testing “swiss army knife” that offers support for RFID emulation, digital access key cloning, radio communications, NFC, infrared, and Bluetooth. Threat actors are taking advantage of the popular tool and its scarce availability by creating fake Twitter accounts and stores. The stores aim to direct would-be buyers to the phishing checkout page, where they enter their name, email and shipping addresses as well as a choice to pay using Ethereum or Bitcoin cryptocurrency. 

(Bleeping Computer)

The Guardian cyberattack hits week two forcing staff to work from home

British publication, The Guardian, suffered what it first referred to as a “serious IT incident” on its systems on December 21. The Guardian now suspects the incident resulted from a ransomware attack. The company said, “We have been able to keep publishing our journalism digitally and in print, but a number of key IT systems have been affected.” Most of its staff in the UK, US and Australia will continue working from home until at least January 23. 

(The Register)

Ex-GE engineer gets two years in prison for stealing turbine tech for China

In March, former General Electric engineer, Xiaoqing Zheng, was convicted of conspiring with his wife’s nephew and the Chinese government to steal GE’s ground and aviation-based turbine trade secrets worth millions of dollars. Beijing has listed both of these technologies as major research and manufacturing priorities in the county’s latest five-year plan. In 2016, Zheng co-founded a Chinese company that develops turbine parts but assured GE there was no conflict of interest. In 2017, GE discovered that Zheng was encrypting proprietary files using his own software and then cleverly hiding them in the code of image files using steganography before exfiltrating them via email. A US judge has sentenced Zheng to two years in prison, a year of supervised release and to pay a $7,500 fine.

(The Register)

Danish bank workers celebrate first full year without robberies

Denmark has recorded its first year without bank robberies. A report from the country’s finance workers’ union attributes the landmark to the increasingly cashless society which has led banks to reduce their cash services and therefore leaving little potential loot for robbers. The report said in 2000, there were 221 bank robberies and that number has gradually decreased to fewer than 10 per year since 2017.


Sean Kelly is a cyber risk professional and leader who thrives on learning, collaborating and helping the business securely advance its mission. Sean is also a musician and outdoor enthusiast who loves spending time with his family and two cats.