Palo Alto, California, April 16th, 2025, CyberNewsWire

SquareX researchers Jeswin Mathai and Audrey Adeline will be disclosing a new class of data exfiltration techniques at BSides San Francisco 2025. Titled “Data Splicing Attacks: Breaking Enterprise DLP from the Inside Out”, the talk will demonstrate multiple data splicing techniques that will allow attackers to exfiltrate any sensitive file or clipboard data, completely bypassing major Data Loss Protection (DLP) vendors listed by Gartner by exploiting architectural vulnerabilities in the browser. 

DLP is a core pillar of every enterprise security stack. Data breaches can result in severe consequences including IP loss, regulatory violations, fines, and severe reputational damage. With over 60% of corporate data being stored in the cloud, browsers have become the primary way for employees to create, access, and share data. Consequently, the browser has become a particularly attractive target for external attackers and insider threats alike. Yet, existing endpoint and cloud DLP solutions have limited telemetry and control over how employees interact with data on the browser. 

Additionally, there are several unique challenges when it comes to maintaining data lineage in the browser. This includes managing multiple personal and professional identities, the wide landscape of sanctioned and shadow SaaS apps, and the numerous pathways in which sensitive data can flow between these apps. Unlike managed devices where enterprises have full control over what can be installed on the device, employees can easily sign up for various SaaS services without the IT team’s knowledge or oversight. 

SquareX researcher Audrey Adeline says, “Data splicing attacks are a complete game changer for insider threats and attackers that are seeking to steal information from enterprises. They exploit newer browser features that were invented long after existing DLP solutions and thus the data exfiltrated using these techniques are completely uninspected, resulting in full bypasses. With today’s workforce heavily relying on SaaS apps and cloud storage services, any organization that uses the browser is vulnerable to data splicing attacks.”

As part of the talk, they will also be releasing an open-source toolkit, “Angry Magpie”, which will allow pentesters and red teams to test their existing DLP stack and better understand their organization’s vulnerability to Data Splicing Attacks. SquareX hopes that the research will highlight the severe threats that browsers pose on data loss and serve as a call to action for enterprises and vendors alike to re-think their data loss protection strategies. 

Upon the completion of BSides San Francisco, the SquareX team will also be presenting at RSAC 2025 and will be available at Booth S-2361, South Expo for further discussions on the research.

Talk Details:

Title: Data Splicing Attacks: Breaking Enterprise DLP from the Inside Out

Speakers: Jeswin Mathai and Audrey Adeline

Event: BSides San Francisco 2025

Location: San Francisco, CA

Toolkit Release: Angry Magpie (Open Source)

About the Speakers

Jeswin Mathai, Chief Architect, SquareX

Jeswin Mathai serves as the Chief Architect at SquareX, where he leads the design and implementation of the company’s infrastructure. A seasoned speaker and researcher, Jeswin has showcased his work at prestigious international stages such as DEF CON US, DEF CON China, RootCon, Blackhat Arsenal, Recon Village, and Demo Labs at DEFCON. He has also imparted his knowledge globally, training in-classroom sessions at Black Hat US, Asia, HITB, RootCon, and OWASP NZ Day. He is also the creator of popular open-source projects such as AWSGoat, AzureGoat, and PAToolkit.

Audrey Adeline, Researcher

Audrey currently leads the Year of Browser Bugs (YOBB) project at SquareX which has disclosed multiple major architectural browser vulnerabilities to date. She is also a published author of The Browser Security Field Manual. Key discoveries from YOBB include Polymorphic Extensions, Browser Ransomware and Browser Syncjacking, all of which have been covered by major publications such as Forbes, Bleeping Computer and Mashable. She is passionate about furthering cybersecurity education and has run multiple workshops with Stanford University and Women in Security and Privacy (WISP). Prior to SquareX, Audrey was a cybersecurity investor at Sequoia Capital and graduated from the University of Cambridge with a degree in Natural Sciences.

About SquareX

SquareX’s industry-first Browser Detection and Response (BDR) helps organizations detect, mitigate, and threat-hunt client-side web attacks targeting employees happening against their users in real-time. This includes defending against identity attacks, malicious extensions, spearphishing, browser data loss, and insider threats. 

SquareX takes a research and attack-focused approach to browser security. SquareX’s dedicated research team was the first to discover and disclose multiple pivotal attacks, including Last Mile Reassembly Attacks, Browser Syncjacking, Polymorphic Extensions, and Browser-Native Ransomware. As part of the Year of Browser Bugs (YOBB) project, SquareX commits to continue disclosing at least one major architectural browser vulnerability every month.  

Contact

Head of PR
Junice Liew
SquareX
junice@sqrx.com

The post SquareX to Uncover Data Splicing Attacks at BSides San Francisco, A Major DLP Flaw that Compromises Data Security of Millions first appeared on Cybersecurity Insiders.

The post SquareX to Uncover Data Splicing Attacks at BSides San Francisco, A Major DLP Flaw that Compromises Data Security of Millions appeared first on Cybersecurity Insiders.

from Cybersecurity Insiders https://ift.tt/BsjUD6E
via IFTTT

With the rise of worldwide data threats and attacks, data privacy acts are springing up across the globe. It may be relatively unknown, but India for one has established a data privacy regulation called the Digital Personal Data Protection (DPDP) Act, passed back in 2023. Established to protect digital personal data and regulate its processing, the DPDP Act aligns with global privacy laws like the EU’s General Data Protection Regulation (GDPR), which we are all familiar with, yet it has its own unique set of rules and requirements.

 It’s important to understand the key aspects of the DPDP Act and what you should do to stay compliant. In short, if your organization handles the personal data of residents in India, you need to be prepared.

What is the DPDP Act?

The DPDP Act is India’s own regulation to address concerns over data privacy and security. It applies to organizations that store, collect, or process digitized personal data of individuals in India, regardless of where the company is based. The law emphasizes clear guidelines on data processing, user consent, and penalties for non-compliance.

 Some of the key highlights of DPDP you need to know about include:

•  Data fiduciary responsibilities – Organizations handling personal data must implement robust security measures, restrict access based on need, and maintain data protection accountability. In some cases, they must also appoint a Data Protection Officer (DPO).
• Consent that is explicit – Before processing personal data, organizations must get clear, affirmative consent from individuals. Users must actively agree to data collection – pre-checked boxes or implied permissions won’t cut it.
• Access and erasure rights – Individuals have the right to know what data an organization holds about them. They can request updates, corrections, or deletion of their data – essentially giving them the power to have control over their personal information.
• Data transfer across borders – The Indian government has the authority to regulate the transfer of personal data outside of India to make sure that its residents’ data is not mishandled or exploited in countries with weaker privacy laws.
• Strict penalties – Non-compliance can result in hefty fines, reaching up to INR 250 crore ($30 million USD). For businesses failing to obtain proper consent, mishandling data, or violating data security protocols, it likely will also mean big financial and reputational damages.

Comparing India’s DPDP Act to the EU’s GDPR

It’s clear there are major similarities between the DPDP Act and GDPR, since they both emphasize data rights, consent, and security. But there are also differences which reflect regional approaches to data protection and the specific needs of each jurisdiction. Understanding these distinctions is important for organizations operating within multiple regulatory frameworks.

Some of these differences include:

• Scope of application – GDPR applies broadly to any organization handling EU citizens’ data, while DPDP is specific to Indian residents.
• Data localization – While GDPR allows free movement of data across the EU, DPDP instills restrictions on transferring sensitive personal data outside of India.
• Reporting of a breach – While DPDP’s reporting requirements are still evolving, GDPR establishes strict and specific breach notification timelines.

Why DPDP compliance matters

Pretending you don’t know the DPDP Act exists or ignoring it all together isn’t an option. With India’s skyrocketing digital economy, regulatory compliance is extremely important. Organizations that fail to comply will risk reputational damage, legal penalties, and the loss of consumer trust.

However, a well-structured data protection strategy can provide businesses with not only compliance, but a competitive advantage. By demonstrating a commitment to data privacy, they can build stronger relationships with customers and stakeholders. Proactive steps for compliance also minimize the risk of security breaches, ensuring long-term operational stability.

How technology can help

Navigating data privacy regulations can feel overwhelming. However, approaches such as AI-driven data security governance can help businesses maintain compliance by:

• Discovering and classifying structured and unstructured personal and sensitive data across cloud and on-premises repositories.
• Monitoring and autonomously remediating data access and sharing to detect risky permissions, overexposed data, and unauthorized sharing.
• Automating compliance monitoring to ensure your data practices align with the DPDP Act’s requirements.
• Obtaining real-time insights to mitigate risks and prevent data breaches and unauthorized access.

India’s DPDP Act is a major step toward stronger data privacy and protection. With the proper intelligent data security solutions and practices in place, you can stay ahead of compliance challenges and keep data protected.  

The post What to Know about Compliance with India’s Emerging Digital Personal Data Protection Act first appeared on Cybersecurity Insiders.

The post What to Know about Compliance with India’s Emerging Digital Personal Data Protection Act appeared first on Cybersecurity Insiders.

from Cybersecurity Insiders https://ift.tt/iB7P3Ww
via IFTTT

In an era where data drives strategy and personalized outreach is key to consumer engagement, marketing teams face mounting pressure to deliver results, especially in healthcare. However, when marketing initiatives intersect with protected health information (PHI), the stakes are significantly higher. HIPAA (Health Insurance Portability and Accountability Act) places strict limitations on how healthcare organizations collect, store, and share patient data. For cybersecurity professionals, ensuring compliance in this digital landscape means taking a proactive role in educating and guiding marketing departments. 

Understanding the HIPAA-Marketing Relationship 

HIPAA was enacted to protect sensitive patient information and to ensure privacy in healthcare transactions. While its relevance to clinicians and healthcare administrators is well-known, marketing teams often overlook their exposure to compliance risks, especially when campaigns target individuals based on health data or behavior. Whether through email campaigns, social media ads, or consumer lead lists, mishandling PHI can result in severe penalties, lawsuits, and long-term reputational damage. 

The challenge lies in the broad definition of PHI. Data points such as names, email addresses, medical conditions, appointment histories, and insurance information are all protected under HIPAA. Even indirect indicators — such as targeting people who downloaded a fertility app or visited a diabetes treatment page — can raise red flags if that data is not properly anonymized. 

Where Marketing Can Go Wrong 

One of the most common pitfalls involves using consumer lead lists that contain health-related information. Purchased or shared lists often lack clear data lineage or proper consent mechanisms. If a marketing team sends emails or digital ads to these contacts without verified HIPAA authorization, the organization could be found in violation even if the marketers were unaware of the regulations. 

Similarly, integrating PHI into customer relationship management (CRM) systems without proper encryption or access controls can create vulnerabilities. Misconfigured cloud storage, unsecured API integrations, and poor endpoint protection are other common weak spots. These missteps aren’t just technical flaws — they represent legal liabilities. 

Cybersecurity professionals must also watch for oversights during the handoff between departments. For example, a healthcare provider may collect patient feedback through a post-visit survey. If those responses are later used for testimonial marketing without HIPAA-compliant consent forms, the organization may unknowingly breach privacy regulations. 

Strategies for HIPAA-Compliant Marketing 

1. Implement Access Controls: Ensure that only authorized personnel — such as HIPAA-trained marketers or legal advisors — can access data tied to individuals’ health information. 
2. Audit Data Sources: Verify that all data used in campaigns is collected with proper consent and is HIPAA-compliant. This includes vetting third-party vendors and lead list providers for compliance documentation. 
3. Use Deidentified Data When Possible: HIPAA permits the use of deidentified data for marketing, provided that all 18 identifiers outlined by the law are removed. Work with data privacy experts to confirm deidentification standards are met. 
4. Secure Communication Channels: Any emails or digital communication involving PHI must be encrypted. Secure email platforms and SSL certificates are essential for any form of electronic outreach. 
5. Train Marketing Teams: Regular training sessions on HIPAA and digital marketing ethics can help nontechnical team members understand how to handle data responsibly. Awareness is often the first line of defense. 
6. Review Business Associate Agreements (BAAs): Ensure BAAs are in place with all marketing vendors who handle PHI. These agreements legally bind third parties to follow HIPAA rules. 

Cybersecurity’s Expanding Role 

For cybersecurity professionals, HIPAA compliance now extends beyond IT infrastructure. With the marketing department increasingly relying on data analytics and personalized targeting, cybersecurity must collaborate across departments. This includes helping select compliant martech tools, conducting risk assessments for marketing workflows, and establishing clear protocols for data segmentation and use. 

Additionally, incident response plans must now include potential marketing-related breaches. If an unauthorized ad campaign mistakenly reveals PHI, the fallout is both a privacy and PR crisis. Being prepared for such incidents is crucial. 

Prevention Over Penalties 

The digital transformation of healthcare marketing offers exciting opportunities but also introduces complex risks. For organizations navigating this evolving landscape, a unified approach between cybersecurity and marketing is essential. By identifying risks early and adopting HIPAA-compliant practices, cybersecurity professionals can play a pivotal role in preventing costly violations. 

Whether you’re working with consumer lead lists or developing targeted campaigns, remember: The goal is not just to market effectively — it’s to market ethically and legally. In the digital age, success is measured not only by clicks and conversions but by trust and compliance. 

__

Author bio: Richard Bufkin is President of TargetLeads a division of Senior Direct Inc., a direct mail marketing company. With over 20 years of experience, he focuses on lead generation and growing the business. 

The post Navigating HIPAA In The Digital Age: How Marketing Teams Can Avoid Costly Violations first appeared on Cybersecurity Insiders.

The post Navigating HIPAA In The Digital Age: How Marketing Teams Can Avoid Costly Violations appeared first on Cybersecurity Insiders.

from Cybersecurity Insiders https://ift.tt/lILXbW2
via IFTTT

In 2023, the Federal Trade Commission (FTC) released a warning to five of the most popular tax preparation companies, stating they could face civil penalties if they used confidential data collected from consumers – for unrelated purposes. 

Two years after the warning was published, an even greater concern has emerged — the integrity of the tax prep companies’ software. Gartner predicts that by this year, 45% of organizations worldwide will have experienced attacks on their software supply chains. If compromised, for tax prep businesses and their customers, the consequences of a software supply chain attack could be devastating. The potential threats and damages would extend well beyond the April 15 tax deadline.  

The Hidden Risks in Tax Software 

Sensitive data within tax prep software includes anything from finances to personal details such as marital status and children, and even health details — all of which are a top target for cybercriminals. Adversaries can use this information to conduct identity theft, tax refund, and other forms of financial fraud, targeted phishing attacks, and even extortion and blackmail. 

One of the most common ways that adversaries attempt to penetrate tax prep companies’ networks is by exploiting vulnerabilities in their software. Tax software, like the overwhelming majority of all software today, is made up of open-source components. Unfortunately, these dependencies often bring a multitude of security weaknesses. 

Nearly all (95%) of security weaknesses originate within open-source packages, with half of these vulnerabilities, across all severity levels, having no known fixes. In addition, nearly three-fourths of open-source components are either poorly or no longer maintained. 

With the demand that tax season brings on these organizations’ developers, it is nearly impossible for them and security teams to keep up with software supply chain maintenance and governance needs, leaving wide open gaps for threat actors to infiltrate. Plus, the recent IRS reduction in force could also increase IT security threats and make it easier for cybercriminals to break in due to fewer employees, delayed security updates and patches, and diminished security threats and inquiries. 

Strengthening Tax Software from the Inside Out 

Fortunately, there are steps tax companies’ developers and security teams can take to stay secure all year long. 

1. Get to Know What’s in Your Software: Developers and security teams don’t have X-Ray vision, so tax companies need to have a solution that can generate a comprehensive software bill of materials (SBOM). SBOMs can provide visibility into all open-source, third-party, and custom-developed software components, ensuring that even the deepest layers of dependencies meet the current compliance standards and don’t introduce risk. 
2. Keep Your SBOMs Organized: Sometimes tax prep companies need to access an SBOM quickly to either verify the origin of software, provide it for a third-party, or pull information for other software. Tax prep companies need to have a secure channel to share SBOMs and security attestations when needed, all while maintaining confidentiality. 
3. Hold Third-Parties to a High Security Standard: Tax prep companies work with a variety of third-party vendors, including e-filing and payment processors, identity verification and fraud prevention companies, cloud and hosting providers, and even marketing and analytics companies. Tax organizations must have the ability to verify the safety of third-party software and track, share, and manage SBOMs across multiple partners to ensure the integrity of the entire software ecosystem.
4. Don’t Wait for a Vulnerability to Present a Problem: Identifying vulnerabilities is only half of the battle. Tax organizations also need to take action to fix them quickly, especially for open-source code that might not even have a patch available. Fortunately, there are solutions on the market that can help developers prioritize which vulnerabilities to address first and provide guidance on how to fix them. 

In order for tax companies to stay safe throughout the busy tax prep season, it’s imperative that they focus on proactive cybersecurity measures such as utilizing multi-factor authentication, ensuring that there are regular software updates, conducting strong encryption protocols, and providing security user education programs. 

While all of these measures certainly help, all of it is futile without a strong, secure software supply chain. Tax prep companies can protect user data year-round by maintaining SBOMs, holding partners accountable, and proactively managing vulnerabilities. 

The post Tax Season’s Silent Threat: The Importance of Securing the Software Supply Chain first appeared on Cybersecurity Insiders.

The post Tax Season’s Silent Threat: The Importance of Securing the Software Supply Chain appeared first on Cybersecurity Insiders.

from Cybersecurity Insiders https://ift.tt/ETPHA58
via IFTTT