Cybersecurity Update 17-31 January 2026

United States of America

DOGE Employee Reported for Hatch Act Violation — Illegally used Social Security Information. On 16 January 2026, a court filing was made public regarding the Social Security Administration (SSA) made two Hatch Act violation referrals to the Department of Justice on 10 December 2025. The complaint documents that a Department of Government Efficiency (DOGE) employee signed an agreement to share SSA data with a political advocacy group regarding elections. “Nearly a year after DOGE staff shared sensitive data with a group hoping to overturn election results, SSA acknowledges that they still don’t know what data they shared or whether it is still on an insecure server.” Unfortunately, after the Supreme Court lifted the ban on DOGE access at the SSA on 6 June 2025, DOGE employees transferred a live copy of the country's Social Security database, containing sensitive information for over 300 million Americans into a Cloudflare server without independent security controls. “Cloudflare is not approved for storing SSA data and when used in this manner is outside SSA’s security protocols.” In addition, DOJ revealed that a DOGE team member was briefly granted access to private Social Security profiles even after a court prohibited it via a temporary restraining order. (NextGov, Court Document, Whistle Blower Complaint, TechCrunch, Politico, NYT, NPR)

Under Armour Breach Leaks 72 Million Records. On 21 January 2025, the 72 million Under Armour records were published on the site, Have I Been Pwned. Under Armour stated that they suffered a data breach in November 2025. The Everest ransomware syndicate claimed responsibility exfiltrating ~343 GB of sensitive data. After Under Armour reportedly failed to pay the ransom within the 7-day deadline, the malicious actors leaked the data on their dark web site. Under Armour’s dataset included names, email addresses, genders, dates of birth, and customers’ approximate location based on postcode or ZIP code. The data also included information relating to purchases. An Under Armour spokesperson stated, "Our investigation of this issue, with the assistance of external cybersecurity experts, is ongoing. Importantly, at this time, there’s no evidence to suggest this issue affected UA.com or systems used to process payments or store customer passwords. What we know at this time is the number of affected customers with any sort of information that could be considered sensitive is a very small percentage.” (TechCrunch, Have I Been Pwned, JustaBreach, AP)

AI Agents Pose Threat to Encrypted Apps. On 20 January 2026, Meredith Whittaker, the President of Signal, stated that AI Agents pose a major risk to encrypted apps, such as Signal. The argument is that if you give an autonomous agent root access to your computer, which they require in order to do their job, this access "can be hijacked.” “For an AI agent to act effectively on behalf of a human, it would need unilateral access to apps storing sensitive information such as credit card data and contacts. Any data that the agent stores — the so-called context window — is at greater risk of being compromised,” she further noted. It is essential to keep a barrier between the application and the operating system. AI agents also pose a security risk because the goal is to operate with little human oversight. Enterprises should treat AI agents like high-risk insider users and technical controls should include monitoring agent behavior and enforcing least privilege. (Bloomberg, Microsoft Blog, McKinsey, Computer World)

US CryptoWallet Robbed. On 26 January 2026, the US Marshals Service, which provides custody of cryptocurrencies seized by or forfeited to federal law enforcement agencies, said it has confirmed that it is investigating claims that more than $40 million in confiscated digital assets were stolen from government-linked wallets. It is believed that the son of the CEO of Command Services & Support (CMDSS), a Virginia-based technology firm contracted by the Marshals Serve to manage and dispose of certain categories of seized cryptocurrency is the the culprit. Blockchain investigator ZachXBT reported that Mr. Daghita gained unauthorized access to crypto wallets holding government-seized digital assets and diverted funds for personal use. The allegations first surfaced after a dispute in a private Telegram chat was recorded and later circulated online. According to ZachXBT, the individual identified as “Lick” appeared to screen share a wallet holding millions of dollars in cryptocurrency and demonstrated the ability to move funds in real time. ZachXBT estimated that total suspected thefts could exceed $90 million in various crypto when accounting for other wallet activity observed in late 2025, some of which he said remains in compromised wallets. This incident has raised valid concerns over how the U.S. government safeguards its growing stockpile of seized bitcoin and other digital assets. The federal government may control between roughly 198,000 BTC and more than 300,000 BTC, worth tens of billions of dollars at current market prices. (Bloomberg, Post on X, BitCoin Mag, Silicon UK)

OpenAI and ServiceNow Strike Deal to Put AI Agents in Business Software. On 20 January 2026, OpenAI and ServiceNow announced that they signed a three-year strategic collaboration to power agentic AI experiences and accelerate enterprise AI outcomes in business software. The agreement unlocks a deep collaboration between OpenAI technical advisors and ServiceNow engineers. With the latest OpenAI models including GPT-5.2, ServiceNow will unlock custom ServiceNow AI solutions built and aligned to their unique roadmaps. Solutions can be delivered with increased speed and scale with no bespoke development required. In addition, ServiceNow will build direct speech-to-speech AI agents that can listen, reason, and respond naturally using OpenAI models to break through language barriers and offer more natural interactions. (WSJ, ServiceNow, OpenAI)

Supreme Court to Decide Constitutionality of Geofence Warrants. On 16 January 2026, the Supreme Court agreed to review the constitutionality of geofence warrants. These warrants are legal tools allowing law enforcement to compel tech companies (mostly Google) to identify all mobile devices within a specific, virtual perimeter during a set timeframe, aiming to find suspects. In a brief order, the Justices said they will review a defendant’s appeal that argues such warrants violate his Fourth Amendment protections against unreasonable searches. In 2024, the U.S. Courts of Appeals for the Fourth and Fifth Circuits (Fourth Circuit and Fifth Circuit, respectively) issued diverging opinions on whether a geofence amounts to a Fourth Amendment search. On 8 August 2025, the Fifth Circuit ruled that geofence warrants are “categorically prohibited by the Fourth Amendment.” This case will likely be heard this term, which would put it on track for a decision by summer 2026. (The Hill, Congress, EFF)

Crunchbase Breached. On 21 January 2026, Shiny Hunters claimed that they successfully used a "vishing" (voice-phishing) campaign targeting Okta single-sign-on (SSO) codes to gain access to the market intelligence firm, Crunchbase and exfiltrate at least 2 million records. On 26 January 2026, Crunchbase confirmed a data breach after the malicious actors published files allegedly stolen from its systems. Shiny Hunters published more than 400 MB of compressed files for download on their website after Crunchbase refused to pay a ransom. “Upon detecting the incident we engaged cybersecurity experts to assist us and we contacted federal law enforcement. Crunchbase is aware that the threat actor posted certain information online. As part of our incident response procedures we are reviewing the impacted information to determine if any notifications are required consistent with applicable legal requirements,” it added. Malicious actors who specialize in vishing have started using bespoke phishing kits that can intercept targets' login credentials while also allowing attackers to control the authentication flow in a targeted user's browser in real-time. "Where threat actors could once pay for access to a kit with basic features that targeted all popular Identity Providers (Google, Microsoft Entra, Okta, etc.) and cryptocurrency platforms, a new generation of fraudsters are attempting to sell access to bespoke panels for each targeted service," Okta said. (Security Week, BleepingComputer)

Texas Expands Prohibited Technology List. On 26 January 2026, Texas Govenor Abbott announced the state is adding new restrictions on certain hardware, software and artificial intelligence tools tied to the People’s Republic of China and the Chinese Communist Party. The expanded list includes a range of companies involved in AI, surveillance technology, networking equipment, consumer electronics and e-commerce platforms, including Alibaba, Baidu, Moonshot AI, TCL, TP-Link, Xiaomi and many more. "Hostile adversaries harvest user data through AI and other applications and hardware to exploit, manipulate, and violate users and put them at extreme risk.” The expanded prohibited technology list is aimed at protecting “the privacy of Texans from the People’s Republic of China, the Chinese Communist Party, and any other hostile foreign actors who may attempt to undermine the safety and security of Texas." (TX Press Release, StateScoop, Letter on TX Cyber Command)

New York Law Requires Advertisers to Disclose use of AI. On December 11, 2025, New York Govenor Hochul signed S8420A — An act to amend the general business law, in relation to requiring advertisements to disclose the use of a synthetic performer. It defines a “synthetic performer" as a digital asset that is created, reproduced, or modified by computer, using generative artificial intelligence or a software algorithm, that is intended to give the impression that the asset is in an audio, audiovisual, and/or visual performance of a human performer who is not recognizable as any identifiable natural performer— meaning the “performer” is fully synthetic and not a replica of a human celebrity or other identifiable person who would benefit from the protections of state right-of-publicity statutes and other existing laws. The law will take effect on 9 June 2026. Failure to comply with the disclosure requirement may result in civil penalties of $1,000 for a first violation and $5,000 per subsequent violation(s). (New York Senate S8420A, Cooley)

GSA Demands CMMC Requirements on All New Contracts. On 5 January 2026, the General Services Administration (GSA) issued an IT security procedural guide that imposes cybersecurity requirements on contracts similar to Defense Department’s CMMC program. Like CMMC, GSA wants contractors to show they comply with NIST publication 800-171. The guide identifies eight specific security requirements that will block approval if not fully implemented. These include multi-factor authentication for all users, encryption of CUI in transit and at rest, vulnerability scanning and remediation, and elimination of all end-of-life system components. There will also be documentation requirements that include a system security and privacy plan, system architecture diagrams, inventories of hardware, software and services, supply chain risk management, and plan of action and milestones for any deficiencies. Contractors will be required to go through independent assessments by FedRAMP third-party organizations or GSA approved assessors. There also are quarterly and annual assessments, and a full independent assessment is required everything three years. (Washington Technology, GSA IT Guide)

Hyatt Breached. On 19 January 2026, NightSpire ransomware syndicate posted on the Dark Web that it had breached Hyatt Hotels. In the post the malicious actors claim to have exfiltrated 48.5GB of sensitive data originating from the Hyatt Place Chelsea New York hotel. Data samples appear to be internal company documents. It is still unclear whether NightSpire operates as a ransomware-as-a-service (RaaS) or as a closed organization running its own attacks. (CyberNews)

International Items of Interest

VoidLink Malware was Likely AI-Generated. On 20 January 2026, Check Point published its analysis of new malware — VoidLink — targeting linux systems. VoidLink is an advanced malware framework made up of custom loaders, implants, rootkits, and modular plugins designed to maintain long-term access to Linux systems. The framework includes multiple cloud-focused capabilities and modules, and is engineered to operate reliably in cloud and container environments over extended periods. The framework appears to be built and maintained by Chinese-affiliated developers (exact affiliation remains unclear) and is actively evolving. Its overall design and thorough documentation suggest it is intended for commercial purposes. Malicious actors using AI to assist in malware development isn't new, but Check Point says VoidLink stands out due to its sophistication. The researchers note, "Until now, solid evidence of AI-generated malware has primarily been linked to inexperienced threat actors, as in the case of FunkSec, or to malware that largely mirrored the functionality of existing open source malware tools. VoidLink is the first evidence-based case that shows how dangerous AI can become in the hands of more capable malware developers.” "VoidLink" was likely written almost entirely by AI, probably under the direction of a single person.” "From a methodology perspective, the actor used the model beyond coding, adopting an approach called Spec Driven Development (SDD), first tasking it to generate a structured, multi-team development plan with sprint schedules, specifications, and deliverables. That documentation was then repurposed as the execution blueprint, which the model likely followed to implement, iterate, and test the malware end-to-end.” This development marks a significant shift in cybersecurity challenges, requiring new strategies to counter AI-generated threats. (CheckPoint, BleepingComputer, CheckPoint, HackerNews)

CIRO Confirms Data Breach Exposed 750,000 Canadian Investors. On 14 January 2026, the Canadian Investment Regulatory Organization (CIRO) completed its forensic investigation regarding a breach that occurred in August 2025. CIRO confirmed that the data breach impacts about 750,000 Canadian investors. CIRO is Canada’s national self-regulatory body for investment dealers, mutual fund dealers, and trading activity. “After more than 9,000 hours of review, that investigation determined that a limited subset of investigative, compliance and market surveillance data, including some of investor information, was copied from our system.” Sensitive data exposed by the malicious actors, includes dates of birth, phone numbers, annual income, social insurance numbers, government issued ID numbers, investment account numbers, and account statements. “CIRO is continuing to monitor for malicious activity and is offering affected individuals two years of free credit monitoring and identity theft protection (BleepingComputer, TechRadar, Security Affairs, CIRO FAQ,)

Law Enforcement Targets Suspected Black Basta Members. On 15 January 2026, Ukrainian and German police raided the homes of two Russian nationals living in Ukraine suspected of belonging to the Black Basta ransomware gang. The two arrested specialized in extracting login credentials from account databases and gaining access to protected systems. The stolen credentials were later used to gain unauthorized access to internal corporate systems, escalate privileges within networks, steal sensitive data, and deploy ransomware designed to encrypt systems and extort cryptocurrency payments from victims. Law enforcement seized their digital storage devices and cryptocurrency assets. Black Basta has been active since at least early 2022 and is believed to be responsible for extorting at least 600 companies, hospitals, and public institutions worldwide. Germany’s Federal Criminal Police Office (BKA) also identified the suspected leader of the gang as 36-year-old Oleg Nefedov, a Russian national believed to be at large in his home country. While Nefedov is believed to be the founder and leader of Black Basta, there is also credible evidence linking him to the Conti ransomware syndicate. The police have added Nefedov to Europol's Most Wanted and Interpol's Red Notice lists. Leaked messages from the Black Basta syndicate also have led the U.S. Treasury’s Office of Foreign Assets Control, with Australian and UK authorities to sanction Media Land and its subsidiary, Data Center Kirishi. Yalishanda, under the legitimate front of Media Land, provided the hosting and technical support that enabled BlackBasta to conduct its attacks without interference. (Euro Most Wanted, CyberScoop, The Record, BleepingComputer, Cybersecurity News)

Germany Pushes for a Two Speed Europe. On 27 January 2026, German Finance Minister Lars Klingbeil stated that Germany will push for a "two-speed" European Union to break decision-making inertia in the 27-member bloc and galvanize its economies, calling for a core group of member states to move ahead on key policies to make Europe stronger and more independent. The core states are: France, Germany, Italy, the Netherlands, Poland, and Spain. Germany put forth a four-point plan: (1) move faster on the Savings and Investment Union to create better financing conditions for European businesses and start-ups; (2) focus on pushing forward the capital markets union to strengthen the euro; (3) enhance cooperation among member states and for firmly embedding defense as a priority in the next EU multi-annual budget; and (4) strengthen Europes’ ability to secure strategic rare earth supplies. (Reuters)

U.K. Financial Sector Still Failing on Basic Cyber Controls, Report Says. A Bank of England-led cybersecurity review found that many U.K. financial firms and financial market infrastructures still lack basic cyber protections such as strong access controls, patching regimes and intrusion detection, echoing similar gaps seen in past assessments. The CBEST report noted that, "In addition to technical measures, we continue to observe challenges in staff culture, awareness, and training, highlighting that technical measures alone are not sufficient.” FMIs that did not have strict protocols for their help-desks, such as verifying the identity of callers, were also vulnerable to malicious actors who fraudulently accessed legitimate credentials. Social engineering attacks were one of the few areas of focus for CBEST assessments in 2025, which are required to simulate the most severe and plausible threats to FMIs. Other types of attack that regulated financial organizations were tested against included those from sophisticated and state sponsored groups, compromised third parties and supply chains, and malicious insiders. U.S. regulators have warned that a single cyber failure could cause "widespread and cascading effects" across the financial sector. (American Banker, The Register, CBEST Report)

Russian Military Linked to Penetration and Failed Sabotage of Poland's Power Provider in December 2025. On 13 January 2026, Poland openly discussed the Russian attack on its energy grid. In the last week of December 2025, Poland’s energy system faced what has been described as the “largest cyberattack” targeting the country in years. Poland’s energy minister said the "failed attack aimed to disrupt the communication between renewable installations and the power distribution operators.” Researches at Slovakia’s ESET found, data-wiping malware in networks at the state-run electricity supplier linked to Russia’s GRU unit 74455 main intelligence group — known as Sandworm. ESET said the attackers used a newly observed strain of wiper malware tracked as "DynoWiper." According to Dragos, at least 30 distributed energy sites across Poland’s electric system were targeted and some operational technology (OT) was effected at wind, solar, and combined heat and power (CHP) assets. This is the first documented attack against the distributed edge of the grid — the attack resulted in loss of view, loss of control, and DoS (denial-of-service) conditions at affected sites. While no power outages occurred, adversaries gained access to OT (operational technology) systems with control capabilities. From a historical perspective, it is important to note the fact that the coordinated attack occurred on the 10th anniversary of the Sandworm orchestrated attack against the Ukrainian power grid. That earlier attack resulted in the first ever malware-facilitated blackout. Back in December 2015, Sandworm used the BlackEnergy malware to gain access to critical systems at several electrical substations, leaving around 230,000 people without electricity for several hours. (Reuters, WeLiveSecurity, CipherBrief, DataBreach Today, IndustrialCyber)

Canada’s Citizen Lab Reports that Cellebrite was Used Against Jordanian Civil Society. On 22 January 2026, Citizen Lab released its findings from a multi-year investigation that

highlights that Cellebrite’s products have been used by the Jordanian authorities to extract data from the phones of activists and civil society members without their consent. The nonconsensual access stood in conflict with international human rights treaties that Jordan ratified. Citizen Lab, which released its investigation in coordination with the Organized Crime and Corruption Reporting Project (OCCRP), analyzed the phones of four activists after Jordanian authorities seized and returned them, then concluded with “high confidence” that the devices had been subjected to Cellebrite’s forensic extraction products. Cellebrite technology, unlike spyware, can’t intercept communications or monitor devices in real time, but rather can access private data under legal processes to aid investigations after something has occurred. Court documents from criminal proceedings under Jordan’s 2023 Cybercrime Law supplied additional evidence. (Citizen Lab Report, CyberScoop)

EU Proposes a New Cybersecurity Package. On 19 January 2026, the European Commission proposed a new cybersecurity package to further strengthen the EU's cybersecurity resilience and capabilities in the face of these growing threats. The package includes a proposal for a revised Cybersecurity Act, which enhances the security of the EU's Information and Communication Technologies (ICT) supply chains. It ensures that products reaching EU citizens are cyber-secure by design through a simpler certification process. This will be done through a renewed European Cybersecurity Certification Framework (ECCF). The package also facilitates compliance with existing EU cybersecurity rules and reinforces the EU Agency for Cybersecurity (ENISA) in supporting Member States and the EU in managing cybersecurity threats. The package reinforces that Europe must implement the 5G Toolbox and restrict Huawei from critical telecom networks under EU law. The Cybersecurity Act will be applicable immediately after approval by the European Parliament and the Council of the EU. The accompanying NIS2 Directive amendments will also be presented for approval. Once adopted, Member States will have one year to implement the Directive into national law and communicate the relevant texts to the Commission. (EU Blog, Industrial Cyber, EU Digital Omnibus, Politico-EU)

EU Launches Global Cybersecurity Vulnerability Enumeration (GCVE). On 20 January 2026, Europe officially launched its own way to track software security vulnerabilities since the United States has hesitated funding the Common Vulnerabilities and Exposures (CVE) program. The new project, known as GCVE (Global Cybersecurity Vulnerability Enumeration), is a public database located at db.gcve.eu. The initiative brings together vulnerability information from over 25 public sources. These include GCVE Numbering Authorities (GNAs), which are able to allocate and publish vulnerability identifiers independently. “By enabling GNAs and other publishers to contribute data independently, while still benefiting from global correlation, GCVE aims to reduce single points of failure and foster innovation in vulnerability management,” the GCVE said. The program is that it should aim to not confuse organizations or cause misalignment with CVE tracking. It should aim to be compatible with the US CVE program, using similar language and ratings. (HackRead, InfoSec Magazine, GCVE)

South Korea AI Basic Act Takes Effect. On 22 January 2026, South Korea’s Act on the Development of Artificial Intelligence and Establishment of Trust (AI Basic Act) took effect. It joins the EU AI Act as a comprehensive AI regulatory regime. The AI Basic Act provides high level requirements for transparency and addressing high-risk AI systems, and confirms its extraterritorial application. It also creates a framework for the development and promulgation of specific requirements via existing and new government organizations. The Ministry of Science and Information and Communication Technology (MSIT) is charged with finalizing the specific enforcement decrees that will provide the technical details for compliance. (Cooley)

CL0P Ransomware Successfully Breaches 42 Companies. On 26 January 2026, Unit 42 of Palo Alto Networks reported that the Cl0p ransomware syndicate may have breached 43 targets in the last 24 hours as Cl0p posted a new list of victims to their dark web leak site. This significant wave of listings targets organizations across the United States, Canada, the United Kingdom, Europe, and New Zealand. (DExpose, DailyDarkWeb)

Israeli National Cyber Directorate to be Formalized. On 25 January 2026, Israel published the text of the new bill that if passed, will become the country’s first permanent cyber law. The proposal would formalize the Israel National Cyber Directorate (INCD), the country's top cyber agency. If it passes, the proposal would also stipulate rules for reporting cyberattacks to the government, customers, and business partners. (Jerusalem Post)