Svoboda Cybersecurity Brief January 15, 2026

Eurail data breach exposes passports and bank details

Eurail confirmed a data breach impacting customers who purchased passes through the DiscoverEU program, exposing passport details, order information, and potentially bank data. The breach was discovered on January 10, with notifications sent to affected users by January 13. No evidence of misuse has been found yet.
Source: The Register

Victorian Department of Education breach impacts student data

Hackers accessed a database containing names, school details, year levels, and encrypted passwords for current and former students in Victoria, Australia. The department reset all student passwords as a precaution, though no evidence of public disclosure exists. Sensitive data like addresses and birthdates were not exposed.
Source: BleepingComputer

South Korea’s Coupang warned over unconfirmed breach disclosures

Korea’s data protection agency ordered Coupang to stop publishing unverified findings about a breach affecting millions, citing potential misinformation. The e-commerce giant had shared suspect statements from a former employee before official investigations concluded.
Source: Korea JoongAng Daily

Kyowon Group confirms ransomware attack and data theft

South Korea’s Kyowon Group disclosed a ransomware attack on January 10, potentially exposing data for 5.5 million individuals. The attack disrupted 600 servers, but the company has not confirmed if customer data was compromised. No ransomware group has claimed responsibility yet.
Source: BleepingComputer

FortiSIEM critical flaw (CVE-2025-25256) allows unauthenticated RCE

A command injection vulnerability in FortiSIEM’s phMonitor service (port 7900) enables remote code execution without authentication. Patches are available for versions 6.7 to 7.5, but unsupported versions (7.0 and 6.7.0) remain vulnerable.
Impact: Remote attackers can execute arbitrary code.
Mitigation: Apply patches or restrict access to port 7900.
Source: BleepingComputer

Reprompt attack hijacks Microsoft Copilot sessions

Researchers demonstrated a method to inject malicious prompts via crafted URLs, bypassing Copilot’s safeguards to exfiltrate data. The attack leverages parameter-to-prompt injection and double-request techniques to maintain persistent access. Microsoft patched the flaw in January 2026.
Impact: Unauthorized data access via compromised Copilot sessions.
Mitigation: Apply the latest Windows security updates.
Source: BleepingComputer

Monroe University breach exposes data of 320,000 individuals

A December 2024 cyberattack compromised personal, financial, and health data of students and staff. The breach was discovered in September 2025, with notifications sent in January 2026. Affected individuals are offered free credit monitoring.
Source: BleepingComputer

CNIL penalized Free Mobile for inadequate security measures after an October 2024 breach exposed 23 million subscribers’ data. Violations included weak VPN authentication and excessive data retention. The company must complete remediation within 3–6 months.
Source: BleepingComputer

Microsoft Patch Tuesday fixes 113 flaws, including zero-day (CVE-2026-20805)

January’s updates address a critical ASLR bypass in Desktop Window Manager (DWM) actively exploited in the wild. Other fixes include critical Office RCE flaws and Secure Boot certificate updates ahead of 2026 expirations.
Impact: Exploitable memory manipulation and remote code execution.
Mitigation: Apply patches immediately, especially for CVE-2026-20805.
Source: KrebsOnSecurity

Pax8 accidentally leaks MSP partner and customer data

An internal spreadsheet with 56,000 entries—including customer names, Microsoft SKUs, and renewal dates—was emailed to 40 UK partners. Threat actors are reportedly seeking the dataset for competitive targeting or phishing.
Source: BleepingComputer

Share this brief: https://svo.bz/DEUN