Cybersecurity Headlines – January 19, 2026

Host: Steve Prentice, CISO Series
Episode Main Theme:
A roundup of the latest and most urgent developments in cybersecurity, spotlighting third-party risks, malicious browser extensions, ransomware investigations, and recent data breaches affecting organizations worldwide.

Key Discussion Points & Insights

1. NSA “Dual Hat” Leadership Role Questioned

[00:07] Army Lieutenant General Joshua Rudd, nominee for NSA Director and Chief of U.S. Cyber Command, announced intent to review the “dual hat” arrangement that combines leadership of both agencies.
- This dual role’s efficiency will be assessed if Rudd is confirmed.
- He would succeed General Timothy Hogg, terminated last April, with Lt. Gen. William Hartman currently serving as acting head of both organizations.
Tone/Takeaway: Raises longstanding debate about management efficiency and oversight between two high-stakes cyber defense roles.

Quote:
“He would evaluate the efficiency of the dual hat leadership role between U.S. Cyber Command and the National Security Agency if he is confirmed to the job.”
– Steve Prentice [00:13]

2. Third-Party Applications Overreach

[01:05] Reflectiz researchers analyzed 4,700 top websites over 12 months:
- 64% of third-party applications accessed sensitive data without business justification — up from 51% in 2024.
- Government and education sites most impacted.
- Offenders named: Google Tag Manager, Shopify, Facebook Pixel
- Trend: Governance gap growing around “unjustified access” — third-party tools accessing data without a demonstrable need.

Quote:
“64% of third party applications access sensitive data without business justification, up from 51% in 2024.”
– Steve Prentice [01:19]

3. GhostPoster Extension Campaign Escalates

[02:08] Update: 17 more malicious browser extensions uncovered (Chrome, Firefox, Edge), tied to the GhostPoster campaign, totaling 840,000 installs.
- Discovered by Koi Security.
- Technique: Malicious JavaScript hidden in logo images, implants a backdoor, hijacks affiliate links, and injects invisible iframes for ad fraud/click fraud.
- Most extensions now delisted from respective app stores.

4. Law Enforcement Targets Black Basta Ransomware

[03:10] Ukraine & Germany identified two Ukrainian suspects working for Black Basta, a Russia-linked ransomware gang.
- Suspects acted as “hash crackers”, using specialized tools to recover stolen passwords.
- Oleg Nefedov, Russian national, named group’s ringleader and placed on Interpol wanted list; potential ties to “Conti” gang.

5. Anchorage Police Dept. – Vendor Cyberattack

[04:09] January 7th: Anchorage PD affected by a cyberattack traced to third-party White Box Technologies (Utah-based), during a software update.
- Department believes no systems compromised, no sensitive data stolen.
- White Box supports multiple public agencies across the U.S.

6. Canadian Investment Regulator CIRO – Data Breach

[04:44] CIRO confirms ~750,000 investors impacted by a 2025 breach following a sophisticated phishing attack in August.
- CIRO regulates all investment/mutual fund dealers and market trading in Canada, but is not a government entity.
- Data at risk: PII and financial info (but not login details).

7. Grubhub Data Breach & Extortion

[05:20] Grubhub confirms a breach; hackers accessed systems and are sending extortion demands.
- Nature, scope, and timing of breach not yet clear.
- Uncertainty remains if breach is connected to scam emails from a Grubhub subdomain promoting crypto schemes.

8. Carlsberg Brewery Visitor Data Leak

[05:53] Visitors’ wristband-linked photos and names at Carlsberg’s Copenhagen exhibition are vulnerable.
- Security researcher Alan Mone (Pen Test Partners) found brute-forcing of wristband IDs could reveal hundreds of visitors’ personal images and names.
- Carlsberg alerted in August 2025 but has not yet resolved the issue.

Quote:
“Through a brute forcing technique, anyone could access the names and images belonging to the many hundreds of beer enthusiasts who visit the brewery each month.”
– Steve Prentice [06:21]

Notable Quotes & Memorable Moments

“64% of third-party applications access sensitive data without business justification, up from 51% in 2024.” — Steve Prentice [01:19]
“These newly identified extensions are no longer present in the add-on stores belonging to Mozilla and Microsoft.” — Steve Prentice on GhostPoster [02:47]
“Oleg Nefedov, a 36-year-old Russian national identified as the group's ringleader who may also have ties to the Conti gang.” — Steve Prentice [03:40]
“Through a brute forcing technique, anyone could access the names and images belonging to the many hundreds of beer enthusiasts who visit the brewery each month.” — Steve Prentice [06:21]

Useful Timeline ([Timestamps])

[00:07] NSA dual-hat role under review
[01:05] Third-party app unjustified access report
[02:08] GhostPoster campaign update (extensions & installs)
[03:10] Black Basta ransomware investigation
[04:09] Anchorage Police Dept. cyberattack
[04:44] CIRO breach (Canada)
[05:20] Grubhub data breach & extortion
[05:53] Carlsberg brewery visitor data exposure

Podcast Tone & Language

Style: Concise, direct, fact-based
Tone: Authoritative, urgency-tinged, and always focused on actionable news for information security professionals.

Conclusion

This episode delivers a fast-moving overview of pressing cyber threats and vulnerabilities, highlighting the growing risks from lax third-party governance, the evolving tactics of cybercriminals, and continuing struggles with sensitive data protection across industries. Each headline provides security leaders actionable awareness to inform their defense priorities for the coming week.

Transcript

A (0:00)

From the CISO series, it's Cybersecurity Headlines.

B (0:07)

These are the cybersecurity headlines for Monday, January 19, 2026. I'm Steve Prentice. Cybercom NSA leadership nominee to assess dual hat role Army Lieutenant General Joshua Rudd, the presidential nominee for the Director of the National Security Agency, Chief of the Central Security and Command of US Cyber Command, stated in a confirmation hearing on Thursday that he would evaluate the efficiency of the dual hat leadership role between U.S. cyber Command and the National Security Agency if he is confirmed to the job. He would replace General Timothy Hogg, who had been CyberCom commander and NSA director until his termination in April of last year, at which time he was replaced by current acting head of both organizations, lieutenant General William Hartman Two thirds of third party applications access sensitive data without justification, says report Data released this month by researchers at Reflectiz analyzed 4700 leading websites over a 12 month period ending in November of last year. It suggests that 64% of third party applications access sensitive data without business justification, up from 51% in 2024. Government sector and education sites showed the most active compromise, with Google Tag Manager, Shopify and Facebook Pixel showing up consistently as specific offenders. The report highlights a growing governance gap termed unjustified access, referring to instances where third party tools are granted access to sensitive data without a demonstrable business need. End quote. A link to the report is available in the show. Notes to this episode. Ghost Poster Browser extensions up to 840,000 installs following up on and updating a story we covered one month ago, 17 more malicious extensions linked to the Ghost Poster campaign have been discovered in Chrome, Firefox and Edge stores and have currently accumulated 840,000 installations discovered and reported by researchers at Koi Security. That's Koi Last month, the Ghost Poster campaign delivers malicious JavaScript code inside its logo images. This code monitors browser activity and implants a backdoor and hijacks affiliate links on major e commerce platforms and injects invisible iframes for ad fraud and click fraud. These newly identified extensions are no longer present in the add on stores belonging to Mozilla and Microsoft. Police turn the screws on Black Basta Ukrainian and German law enforcement authorities have identified two Ukrainians suspected of working for the Russia linked ransomware group Black Basta and have placed the group's alleged leader, a Russian national, on an international wanted list. This, according to officials speaking on Thursday. The two suspects were described by police as hash crackers responsible for recovering passwords from stolen data using specialized software. The hunt is now on for oleg Nefedov, a 36 year old Russian national identified as the group's ringleader who may also have ties to the Conti gang. Huge thanks to our sponsor Dropzone AI. Here's a security tip Most vendors won't tell you your SOC analysts aren't slow, they're drowning. The average enterprise faces tens of thousands of alerts daily, and even your best analysts can only investigate so many before burnout wins. Dropzone AI changes that math. Their AI SoC agents autonomously investigate every alert. No playbooks or code required in 3 to 10 minutes flat. So stop triaging, start defending. Book a demo at Dropzone AI that is Dr. O P Z O N E. Anchorage Police Department suffers a cyberattack an incident that occurred on January 7th appears to have been the result of a cyber attack on a third party vendor conducting a software upgrade. The vendor, Utah based White Box Technologies, supports multiple agencies nationwide. Representatives of the Anchorage Police Department state they do not believe any systems were compromised or sensitive Data stolen by the event Canadian investment regulator suffers data breach the Canadian investment regulatory organization Ciro confirmed on Friday that approximately 750,000 investors were impacted by a cyber incident last year. The organization oversees all investment and mutual fund dealers in the country, alongside trading activity on Canada's debt and equity marketplaces. It is not an arm of the Canadian government. The data breach followed a sophisticated phishing attack that was detected in August. The data at risk includes PII and financial information, but not login details. Grubhub confirms data stolen in recent security breach the food delivery platform says hackers accessed its systems and are now sending the company extortion demands. Further details about the breach, including when it occurred and what data may have been taken, have not been released, and it is also unclear as to whether this incident is related to a wave of scam emails that had been sent from its b.grubhub.com subdomain Promoting a cryptocurrency scam Carlsberg Brewer visitor wristbands expose visitor data Visitors to the Carlsberg exhibition in Copenhagen, a popular attraction for beer lovers, are being warned that photographs made of them as part of a memento service may not be secure. Offered as a complement to beer themed activities for visitors, the photos of the visitors themselves were intended to be made available by entering visitor wristband ID onto the company's website for a fixed period of time. However, researchers revealed that through a brute forcing technique, anyone could access the names and images belonging to the many hundreds of beer enthusiasts who visit the brewery each month. This fact was discovered by one visitor to the attraction, Alan Mone of Pen Test Partners, who succeeded in performing a brute forcing exercise and submitted a report to the brewer on Aug. 19, according to the Register. Carlsberg has yet to resolve this issue. It's Monday, and that means it's time for another episode of the Department of no join us at 4pm Eastern today on the CISO series YouTube channel. Each week we ask some of the brightest minds in cybersecurity how the news of the week will impact their jobs and their teams. If you join live, you can ask questions during the show and join in on the fun. So set a calendar reminder for the Department of Know every Monday at 4pm Eastern. And if you have some thoughts on the news from today or about this show in general, please be sure to reach out to us at feedbacksoseries. We would love to hear from you. I'm Steve Prentiss reporting for the CISO Series.

Cybersecurity Headlines – January 19, 2026

Key Discussion Points & Insights

1. NSA “Dual Hat” Leadership Role Questioned

[00:07] Army Lieutenant General Joshua Rudd, nominee for NSA Director and Chief of U.S. Cyber Command, announced intent to review the “dual hat” arrangement that combines leadership of both agencies.
- This dual role’s efficiency will be assessed if Rudd is confirmed.
- He would succeed General Timothy Hogg, terminated last April, with Lt. Gen. William Hartman currently serving as acting head of both organizations.
Tone/Takeaway: Raises longstanding debate about management efficiency and oversight between two high-stakes cyber defense roles.

Quote:
“He would evaluate the efficiency of the dual hat leadership role between U.S. Cyber Command and the National Security Agency if he is confirmed to the job.”
– Steve Prentice [00:13]

2. Third-Party Applications Overreach

[01:05] Reflectiz researchers analyzed 4,700 top websites over 12 months:
- 64% of third-party applications accessed sensitive data without business justification — up from 51% in 2024.
- Government and education sites most impacted.
- Offenders named: Google Tag Manager, Shopify, Facebook Pixel
- Trend: Governance gap growing around “unjustified access” — third-party tools accessing data without a demonstrable need.

Quote:
“64% of third party applications access sensitive data without business justification, up from 51% in 2024.”
– Steve Prentice [01:19]

3. GhostPoster Extension Campaign Escalates

[02:08] Update: 17 more malicious browser extensions uncovered (Chrome, Firefox, Edge), tied to the GhostPoster campaign, totaling 840,000 installs.
- Discovered by Koi Security.
- Technique: Malicious JavaScript hidden in logo images, implants a backdoor, hijacks affiliate links, and injects invisible iframes for ad fraud/click fraud.
- Most extensions now delisted from respective app stores.

4. Law Enforcement Targets Black Basta Ransomware

[03:10] Ukraine & Germany identified two Ukrainian suspects working for Black Basta, a Russia-linked ransomware gang.
- Suspects acted as “hash crackers”, using specialized tools to recover stolen passwords.
- Oleg Nefedov, Russian national, named group’s ringleader and placed on Interpol wanted list; potential ties to “Conti” gang.

5. Anchorage Police Dept. – Vendor Cyberattack

[04:09] January 7th: Anchorage PD affected by a cyberattack traced to third-party White Box Technologies (Utah-based), during a software update.
- Department believes no systems compromised, no sensitive data stolen.
- White Box supports multiple public agencies across the U.S.

6. Canadian Investment Regulator CIRO – Data Breach

[04:44] CIRO confirms ~750,000 investors impacted by a 2025 breach following a sophisticated phishing attack in August.
- CIRO regulates all investment/mutual fund dealers and market trading in Canada, but is not a government entity.
- Data at risk: PII and financial info (but not login details).

7. Grubhub Data Breach & Extortion

[05:20] Grubhub confirms a breach; hackers accessed systems and are sending extortion demands.
- Nature, scope, and timing of breach not yet clear.
- Uncertainty remains if breach is connected to scam emails from a Grubhub subdomain promoting crypto schemes.

8. Carlsberg Brewery Visitor Data Leak

[05:53] Visitors’ wristband-linked photos and names at Carlsberg’s Copenhagen exhibition are vulnerable.
- Security researcher Alan Mone (Pen Test Partners) found brute-forcing of wristband IDs could reveal hundreds of visitors’ personal images and names.
- Carlsberg alerted in August 2025 but has not yet resolved the issue.

Quote:
“Through a brute forcing technique, anyone could access the names and images belonging to the many hundreds of beer enthusiasts who visit the brewery each month.”
– Steve Prentice [06:21]

Notable Quotes & Memorable Moments

“64% of third-party applications access sensitive data without business justification, up from 51% in 2024.” — Steve Prentice [01:19]
“These newly identified extensions are no longer present in the add-on stores belonging to Mozilla and Microsoft.” — Steve Prentice on GhostPoster [02:47]
“Oleg Nefedov, a 36-year-old Russian national identified as the group's ringleader who may also have ties to the Conti gang.” — Steve Prentice [03:40]
“Through a brute forcing technique, anyone could access the names and images belonging to the many hundreds of beer enthusiasts who visit the brewery each month.” — Steve Prentice [06:21]

Useful Timeline ([Timestamps])

[00:07] NSA dual-hat role under review
[01:05] Third-party app unjustified access report
[02:08] GhostPoster campaign update (extensions & installs)
[03:10] Black Basta ransomware investigation
[04:09] Anchorage Police Dept. cyberattack
[04:44] CIRO breach (Canada)
[05:20] Grubhub data breach & extortion
[05:53] Carlsberg brewery visitor data exposure

Podcast Tone & Language

Style: Concise, direct, fact-based
Tone: Authoritative, urgency-tinged, and always focused on actionable news for information security professionals.

wavePod

NSA dual-hat question, third-party report, GhostPoster extension continues

Summary

Cybersecurity Headlines – January 19, 2026

Key Discussion Points & Insights

1. NSA “Dual Hat” Leadership Role Questioned

2. Third-Party Applications Overreach

3. GhostPoster Extension Campaign Escalates

4. Law Enforcement Targets Black Basta Ransomware

5. Anchorage Police Dept. – Vendor Cyberattack

6. Canadian Investment Regulator CIRO – Data Breach

7. Grubhub Data Breach & Extortion

8. Carlsberg Brewery Visitor Data Leak

Notable Quotes & Memorable Moments

Useful Timeline ([Timestamps])

Podcast Tone & Language

Conclusion

Transcript

Summary

Cybersecurity Headlines – January 19, 2026

Key Discussion Points & Insights

1. NSA “Dual Hat” Leadership Role Questioned

2. Third-Party Applications Overreach

3. GhostPoster Extension Campaign Escalates

4. Law Enforcement Targets Black Basta Ransomware

5. Anchorage Police Dept. – Vendor Cyberattack

6. Canadian Investment Regulator CIRO – Data Breach

7. Grubhub Data Breach & Extortion

8. Carlsberg Brewery Visitor Data Leak

Notable Quotes & Memorable Moments

Useful Timeline ([Timestamps])

Podcast Tone & Language

Conclusion