Microsoft "Digital Escort" Program Will Have Third-Party Audit; Matrix.org Foundation Homeserver Restored After RAID Failure; Dutch Cancer Screening Lab Notifies 941,000 of Data Breach

On August 27, 2025, US Secretary of Defense Pete Hegseth announced via social media that the Department of Defense (DoD) has issued "a formal letter of concern to Microsoft" and will oversee a third-party audit of the company's "digital escort" program. This program – which was the subject of a July 2025 investigation by ProPublica and subsequent review by the Pentagon – employs US citizens with security clearances to chaperone Microsoft's international engineers who work on the DoD cloud but are not allowed to access it directly. Insiders reported serious concern that the supervising escorts are insufficiently trained and "lacked the expertise to detect potential threats" when implementing engineers' requests or copying and pasting their code. Both the DoD and Microsoft have focused their immediate responses on prohibiting specifically China-based engineers from DoD systems rather than addressing the possible ongoing risk in Microsoft's hiring and training practices.

The Matrix Foundation's homeserver was offline for about 24 hours earlier this week following a RAID (Redundant Array of Independent Disks) failure. The issue began shortly after 11 AM on Tuesday, September 2, when "the matrix.org database secondary lost its FS due to a RAID failure." Shortly after 5:30 PM UTC that same day, the primary database was lost. After "an attempt to restore the primary database via a point-in-time backup from the previous evening ... failed," the database was restored from a 55 TB backup. Restoration was complete just after 5 PM UTC on Wednesday, September 3. The outage affected organizations using Matrix.org as their home server; organizations with their own instances (homeservers) were not affected by the issue.

A data security breach at Dutch cancer screening firm Clinical Diagnostics NMDL has prompted the Dutch Population Survey (Bevolkingsonderzoek Nederland) to begin notifying approximately 941,000 individuals that their personal health data have been compromised. While Clinical Diagnostics NMDL has confirmed that approximately 715,000 people were directly affected by the breach, the total number of individuals being notified represents "all individuals whose data has ever been shared with the laboratory." In early August, Clinical Diagnostics NMDL reported that the breach affected 485,000 people; the organization updated that figure to 715,000 last week. The Dutch Population Survey made the decision to notify all 941,000 people whose data were shared with Clinical Diagnostics NMDL after Clinical Diagnostics NMDL was unable to confirm the scope of the breach.

The US Cybersecurity and Infrastructure Security Agency (CISA) has recently added seven vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, three of which affect TP-Link products that have reached end-of-service (EoS) or end-of-life (EoL). CVE-2020-24363, CVSS score 8.8, allows an unauthenticated attacker to achieve admin access on TP-Link TL-WA855RE Wi-Fi range extender devices by setting a new administrative password after submitting a TDDP_RESET POST request for a factory reset and reboot. CVE-2025-9377, CVSS score 8.6, allows an attacker to achieve authenticated remote command execution in the Parental Control page of TP-Link Archer C7(EU) V2 and TL-WR841N/ND(MS) V9 routers through OS command injection. CVE-2023-50224, CVSS score 6.5, allows an unauthenticated attacker to disclose stored credentials on TP-Link TL-WR841N routers by leveraging an authentication bypass flaw in the httpd service, which listens on TCP port 80 by default. All of the vulnerable products under exploitation are no longer supported by TP-Link, and while firmware updates exist for all three flaws, users are advised in the long term to replace the devices. Other flaws added to CISA's KEV between September 2 and 4 are an incorrect authorization vulnerability in WhatsApp; a time-of-check time-of-use race condition vulnerability in the Linux kernel; a use after free vulnerability in Android; and a deserialization of untrusted data vulnerability in multiple Sitecore products.

Google's September 2025 update for Android includes fixes for at least 84 security issues, including two privilege escalation vulnerabilities (CVE-2025-38352 and CVE-2025-48543) that are being actively exploited. CVE-2025-38352 is a time-of-check time-of-use (TOCTOU) race condition in the Linux kernel and was initially disclosed on July 22, 2025. CVE-2025-48543 is a use after free issue in Android Runtime. The release also includes fixes for four critical vulnerabilities: a remote code execution issue in Android's System component, and three issues that affect Qualcomm components.

France's data protection authority, Commission Nationale de l'informatique et des Libertés (CNIL), has fined two companies for failure to comply with regulations regarding cookies. Specifically, CNIL fined Google €325 million (US$379 million) and Singapore-based clothing retailer Shein €150 million (US$175 million) for failing to obtain user consent before tracking their web activity with advertising cookies. CNIL is paying particular attention not only to failure to obtain consent, but also to the use of what it calls "cookie walls," policies that prevent users from accessing services online unless they agree to allow cookies to be placed on their devices.

Two US states have confirmed that disruptive cyberattacks targeting their government offices in August 2025 involved ransomware. The Office of the Pennsylvania Attorney General first announced via social media on August 11 that the office's email, phone systems, and website were offline after a cyber incident. Website and email began to restore gradually within the following week, and phone lines remained down for an additional week. A press release published on August 29 states that the main office phone line and website are operational and most of the office's approximately 1,200 staff have access to email. "Some courts have issued orders providing time extensions on respective criminal and civil cases," and work by attorneys and agents has continued through the disruptions, which Attorney General Dave Sunday says were "caused by an outsider encrypting files" and demanding a ransom, which was not paid. The state of Nevada suffered disruption to phone lines, websites, and online platforms responding to a cyberattack on August 26, enlisting the aid of the US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI for remediation and investigation. Nevada's Chief Information Officer Timothy Galluzi confirmed in an August 27 press conference that the attack was "ransomware-based" and that some information was exfiltrated by the threat actor, but stated that investigation is still ongoing to determine the type or types of data; any affected individuals will be notified if sensitive personal data are found to have been stolen. The Nevada Office of Emergency Management/Homeland Security regularly updates an information page describing the incident and recovery process by department and office, also offering resources, guidelines, and a detailed FAQ for NV residents who may be impacted.

In a September 2 statement, British car manufacturer Jaguar Land Rover writes that their global IT systems were "impacted by a cyber incident... [and] took immediate action to mitigate its impact by proactively shutting down [their] systems." Staff at the company's plant near Liverpool was told not to report for work on Monday, September 1. The operational disruptions affected both the company's manufacturing facilities and retail outlets. Earlier this year, Jaguar Land Rover investigated claims that a ransomware group had stolen source code and tracking data from the automobile company.

On Tuesday, September 2, 2025, Cloudflare announced via social media that among the hundreds of hyper-volumetric distributed denial-of-service (DDoS) attacks they have blocked in recent weeks, the highest peaks were an unprecedented 5.1 billion packets per second (Bpps) and 11.5 terabits per second (Tbps). The 11.5 Tbps attack was a User Datagram Protocol (UDP) flood lasting approximately 35 seconds, originating from "a combination of several IoT and cloud providers," including Google Cloud. The previous record observed and blocked by Cloudflare was a 7.3 Tbps attack in June 2025. William Manzione, product manager at RETN, stated to Dark Reading that the degree of actual disruption to users is the best way to measure DDoS defense, and complexity may be a more worthwhile focus than size: "The attacks that demand real attention are those that combine volume with persistence or complexity — multivector campaigns that quietly congest links, trigger reroutes, and degrade real user experience."

More than 20 government agencies from 15 countries have published joint guidance for Software Bills of Materials. The document, A Shared Vision of Software Bill of Materials (SBOM) for Cybersecurity, aims to strengthen global supply chain cybersecurity. It provides an overview of what constitutes a Software Bill of Materials (SBOM) and "the value that increased software component and supply chain transparency can offer the global community." The document goes on to explain that SBOMs allow for "greater visibility across an organization’s software supply chain and enterprise system by documenting information about software dependencies," and how they enhance vulnerability management, supply chain risk management, the software development process, and software license management. The docket is signed by agencies from the US, Australia, Canada, Czechia, France, Germany, India, Italy, Japan, the Netherlands, New Zealand, Poland, Singapore, Slovakia, and South Korea. [Note: This document is separate from CISA's 2025 Minimum Elements for a Software Bill of Materials (SBOM) draft (https://www.cisa.gov/sites/default/files/2025-08/2025_CISA_SBOM_Minimum_Elements.pdf) that we wrote about in NewsBites Vol. 27, No. 62 on Tuesday, August 26.]