Scott Holland reports that a California state appeals court agreed with a hospital that it should not be held liable for employee misbehavior if they had a clear policy in place but the employee knowingly violated it: A state appeals panel has agreed hospitals can’t be sued if one of their employees posts confidential patient...

Source

Here is today’s reminder of the insider threat and why it may be challenging, but it’s still necessary, to monitor and audit employee access to patient records to spot any inappropriate access. Harris Health is notifying more than 5,000 patients that an employee — who was fired and referred to law enforcement when their wrongdoing...

Source

From Latvian Public Media: The Kurzeme Regional Court has decided to overturn the acquittal of the District Court and to find guilty an official of a state institution for disclosing confidential information and a board member of a company for inciting a public official to disclose this information, Latvian Television reports on 17 September. Latvian...

Source

A former FinWise employee gained access to American First Finance customer information.

The post 689,000 Affected by Insider Breach at FinWise Bank appeared first on SecurityWeek.

From the U.S. Department of Justice: John Murray Rowe Jr., 67, of Lead, South Dakota, was sentenced today to 126 months in prison followed by three years of supervised release and a $25,000 fine for attempted espionage. The defendant was charged by indictment in December 2021 and pleaded guilty in April of last year to one count...

Source

Today’s reminder of the insider threat, from the U.S. Attorney’s Office for the Eastern District of Virginia: ALEXANDRIA, Va. – A U.S. Department of State (DOS) employee was sentenced today to four years in prison for conspiring to collect and transmit national defense information to individuals he knew to be working for the government of...

Source

Oscar Liu reports: Two public hospital doctors have been granted bail after being arrested in Hong Kong on suspicion of leaking a cancer patient’s medical data to highlight alleged professional shortcomings by her operating surgeon. Observers, meanwhile, said that although the incident did not align with the principles of “whistle-blowing”, it underscored the need for...

Source

Riley Brennan reports: The U.S. Court of Appeals for the Third Circuit clarified this week that an employee’s purported violations of workplace computer use policies cannot be criminalized under federal law as long as there is no evidence of hacking or violations of trade secrets. On Tuesday, the federal appellate court affirmed the U.S. District Court...

Source

Iain Thomson reports an update to a case previously reported on this site: A US court sentenced a former developer at power management biz Eaton to four years in prison after he installed malware on the company’s servers. Davis Lu, 55, spent a dozen years at Eaton and rose to become a senior developer of...

Source

The420.in reports: The Delhi Police have arrested 18 individuals for duping State Bank of India (SBI) credit card holders of nearly ₹2.6 crore [USD $296,630.45] in a nationwide fraud. The operation, which ran for six months, relied on insider leaks at a Gurugram-based call centre and a sophisticated money-laundering network that spanned cash deals and...

Source

For the “No need to hack when it’s leaking” and the “our government is our insider threat” files, Chiara Eisner of NPR reports: Papers with U.S. State Department markings, found Friday morning in the business center of an Alaskan hotel, revealed previously undisclosed and potentially sensitive details about the Aug. 15 meetings between President Donald...

Source

Neil Shaw reports: HM Revenue and Customs (HMRC) has revealed that hundreds of staff have accessed the records of taxpayers without permission or breached security in other ways. HMRC dismissed 50 members of staff last year for accessing or risking the exposure of taxpayers’ records, according to The Telegraph. 354 tax employees have been disciplined for...

Source

The following is part of a press release related to a case previously reported on DataBreaches.net in 2020. On August 7, 2025, WILKINS ESTRELLA and CHARLENE MARTE pled guilty before U.S. District Judge Gregory H. Woods in New York to conspiracy to commit wire fraud and bank fraud in connection with using social security numbers...

Source

Sometimes we like insider leaks, right? Divya reports: A member of North Korea’s notorious Kimsuky espionage group has experienced a significant data breach after insiders leaked hundreds of gigabytes of internal files and tools to the public. The breach, which emerged in early June 2025, exposed the group’s sophisticated backdoors, phishing frameworks, and reconnaissance operations,...

Source

Marko Elez, a 25-year-old employee at Elon Musk’s Department of Government Efficiency (DOGE), has been granted access to sensitive databases at the U.S. Social Security Administration, the Treasury and Justice departments, and the Department of Homeland Security. So it should fill all Americans with a deep sense of confidence to learn that Mr. Elez over the weekend inadvertently published a private key that allowed anyone to interact directly with more than four dozen large language models (LLMs) developed by Musk’s artificial intelligence company xAI.

On July 13, Mr. Elez committed a code script to GitHub called “agent.py” that included a private application programming interface (API) key for xAI. The inclusion of the private key was first flagged by GitGuardian, a company that specializes in detecting and remediating exposed secrets in public and proprietary environments. GitGuardian’s systems constantly scan GitHub and other code repositories for exposed API keys, and fire off automated alerts to affected users.

Philippe Caturegli, “chief hacking officer” at the security consultancy Seralys, said the exposed API key allowed access to at least 52 different LLMs used by xAI. The most recent LLM in the list was called “grok-4-0709” and was created on July 9, 2025.

Grok, the generative AI chatbot developed by xAI and integrated into Twitter/X, relies on these and other LLMs (a query to Grok before publication shows Grok currently uses Grok-3, which was launched in Feburary 2025). Earlier today, xAI announced that the Department of Defense will begin using Grok as part of a contract worth up to $200 million. The contract award came less than a week after Grok began spewing antisemitic rants and invoking Adolf Hitler.

Mr. Elez did not respond to a request for comment. The code repository containing the private xAI key was removed shortly after Caturegli notified Elez via email. However, Caturegli said the exposed API key still works and has not yet been revoked.

“If a developer can’t keep an API key private, it raises questions about how they’re handling far more sensitive government information behind closed doors,” Caturegli told KrebsOnSecurity.

Prior to joining DOGE, Marko Elez worked for a number of Musk’s companies. His DOGE career began at the Department of the Treasury, and a legal battle over DOGE’s access to Treasury databases showed Elez was sending unencrypted personal information in violation of the agency’s policies.

While still at Treasury, Elez resigned after The Wall Street Journal linked him to social media posts that advocated racism and eugenics. When Vice President J.D. Vance lobbied for Elez to be rehired, President Trump agreed and Musk reinstated him.

Since his re-hiring as a DOGE employee, Elez has been granted access to databases at one federal agency after another. TechCrunch reported in February 2025 that he was working at the Social Security Administration. In March, Business Insider found Elez was part of a DOGE detachment assigned to the Department of Labor.

In April, The New York Times reported that Elez held positions at the U.S. Customs and Border Protection and the Immigration and Customs Enforcement (ICE) bureaus, as well as the Department of Homeland Security. The Washington Post later reported that Elez, while serving as a DOGE advisor at the Department of Justice, had gained access to the Executive Office for Immigration Review’s Courts and Appeals System (EACS).

Elez is not the first DOGE worker to publish internal API keys for xAI: In May, KrebsOnSecurity detailed how another DOGE employee leaked a private xAI key on GitHub for two months, exposing LLMs that were custom made for working with internal data from Musk’s companies, including SpaceX, Tesla and Twitter/X.

Caturegli said it’s difficult to trust someone with access to confidential government systems when they can’t even manage the basics of operational security.

“One leak is a mistake,” he said. “But when the same type of sensitive key gets exposed again and again, it’s not just bad luck, it’s a sign of deeper negligence and a broken security culture.”

Joff Thyer // It has been known for some time that an executable payload generated with msfvenom can leverage an alternative template EXE file, and be encoded to better evade […]

The post Advanced Msfvenom Payload Generation appeared first on Black Hills Information Security, Inc..