Jan 28, 2026

1.

Subject: Treasury cancels Booz Allen contracts over tax records leak

Sender: info@metacurity.com

Summary: The U.S. Treasury Secretary Scott Bessent has canceled all contracts with Booz Allen Hamilton after a company employee leaked tax records of prominent figures including President Trump, Jeff Bezos, and Elon Musk. The breach involved 406,000 taxpayers’ confidential information between 2018 and 2020. Booz Allen condemned the conduct and emphasized it occurred on government, not company, systems. Additionally, Chinese hacking group Salt Typhoon was reported to have compromised senior officials’ mobile phones in the UK, and a UK High Court ordered Saudi Arabia to pay $4.1 million in damages to a dissident targeted by Pegasus spyware. Other news includes ongoing investigations of crypto asset theft, potential data breaches at Nike, and expansion plans for UK facial recognition policing.

2.

Subject: Accelerate AI Without Expanding Your Attack Surfaces

Sender: news@securityweek.com

Summary: Zscaler is hosting a live virtual event to discuss how organizations can advance AI initiatives, such as generative AI and custom LLM applications, securely by employing Zero Trust principles. The event will cover strategies to enable AI projects while protecting sensitive data, monitoring AI usage, reducing risks, and complying with emerging AI security standards. New AI security features designed to protect the entire AI development and deployment lifecycle will also be previewed.

3.

Subject: Microsoft patches actively exploited Office flaw

Sender: editor@newsletter.n2k.com

Summary: Microsoft has released emergency out-of-band security updates to fix a critical vulnerability (CVE-2026-21509) in multiple Office versions that is actively exploited. The flaw allows attackers to bypass Object Linking and Embedding (OLE) security by tricking users into opening malicious Office files. Office 2021 and newer versions receive automatic protection via service-side updates but still require application restarts. The British government has proposed a new National Police Service to handle large-scale cybercrime, and Google agreed to pay $68 million in a privacy lawsuit concerning unauthorized recordings by its voice assistant.

4.

Subject: Browser Extensions Stealing ChatGPT Sessions

Sender: news@securityweek.com

Summary: Researchers have discovered a cluster of malicious Chrome browser extensions stealing ChatGPT authentication tokens. Fifteen of these extensions were found on the official Chrome Web Store and one on the Edge Add-ons marketplace. Though collectively downloaded around 900 times, these extensions pose a risk by intercepting and stealing users’ ChatGPT sessions. Other cybersecurity headlines include Microsoft patching an Office zero-day, ongoing supply chain JavaScript ecosystem flaws, and phishing campaigns targeting over 100 organizations.

5.

Subject: Risky Bulletin: Cyberattack cripples cars across Russia

Sender: risky-biz@ghost.io

Summary: A large-scale cyberattack impacted Delta smart alarm systems across Russia, causing car owners to be unable to unlock vehicles, stop alarms, or start engines. The attack was confirmed but details are scarce; it remains unclear if it was a DDoS, ransomware, or wiper attack. The incident coincided with an unrelated outage at Russian airports. Additionally, notable news includes a $68 million settlement by Google over privacy violations with its voice assistant recordings, the launch of WhatsApp’s Strict Account Settings feature to block advanced exploits, and vulnerability disclosures affecting Kubernetes, OpenSSL, and Windows security features. The U.S. Treasury canceled all Booz Allen contracts over a tax record leak, and French authorities plan to ban social media for children under 15.

Stay Well!