ParkMobile breach settlement, UK schools vulnerable, Zimbra calendar attacks - Cybersecurity Headlines

Summary4 min read

Cyber Security Headlines – October 6, 2025

Host: Steve Prentiss
Episode Theme:
A review of breaking cybersecurity incidents and trends, including legal settlements and vulnerability reports impacting organizations, public institutions, and technology platforms globally.

Main Discussion Points & Insights

1. ParkMobile 2021 Data Breach Settlement

Summary:
The long-running class action suit stemming from ParkMobile’s 2021 data breach has concluded.
Key Details:
- Over 22 million ParkMobile users' PII and license plate numbers were leaked in March 2021 (no financial data compromised).
- The lawsuit accused ParkMobile of not adequately protecting user data; the company denied wrongdoing.
- Compensation: Eligible victims receive $1 as in-app credit, claimable manually and expiring by October 2026.
Memorable Moment:
- Steve Prentiss: “The windfall for each of the victims is, wait for it, $1 in the form of an in app credit, which must be claimed manually and does come with an expiration date of next October.” [01:15]

2. UK Schools Outpace Businesses as Cyberattack Targets

Summary:
UK government research reveals educational institutions are being targeted more than private businesses.
Key Stats:
- 6/10 secondary schools in the UK hit by attacks or breaches in the prior year.
- Further education colleges: 8/10; Higher education: 9/10.
- 4/10 businesses affected, by contrast.
Attack Vector:
- Phishing emails cited as the most common means of attack.
Quote:
- Steve Prentiss: “Educational institutions are more likely to face a cyberattack or security breach than private businesses.” [02:04]

3. Zimbra Collaboration Suite Vulnerability Exploited

Summary:
A recently fixed Zimbra vulnerability (cross-site scripting in calendar component) exploited to deliver malware.
Details:
- Affects ZCS 9.0, 10.0, and 10.1.
- Attackers leveraged ICS (iCalendar) files, with insufficient HTML sanitization allowing JavaScript payloads.
- Fixed in January 2025, but discovery of large, suspect ICS files led to the uncovering of attacks.
Quote:
- “The flaw is used to deliver a JavaScript payload onto target systems, specifically ICS files, also known as iCalendar files.” [02:50]

4. Salesforce Responds to Scattered Spider Extortion Attempts

Summary:
Salesforce addresses extortion incidents involving the Scattered Spider cybercrime group and their new leak site.
Details:
- Scattered Spider lists stolen data from dozens of large companies, claiming access through Salesforce.
- Salesforce maintains its platform has not been compromised, nor is there evidence of vulnerabilities being exploited.
Quote:
- “We remain engaged with affected customers to provide support.” [03:34]

5. LinkedIn Sues Over Aggressive Data Scraping Operation

Summary:
LinkedIn files suit against Pro APIs and its CEO for a large-scale data scraping operation.
Details:
- Accusations of charging up to $15,000/month for user data—including posts, reactions, comments—scraped using fake accounts.
- LinkedIn often detects and shuts down scraping, but the proliferation of fake accounts stymies termination efforts.
Quote:
- “Because the software firm creates hundreds if not thousands of fake accounts daily, it is impossible to stop all of the activity.” [04:23]

6. Self-Spreading ‘Sorvepotel’ Malware Targets WhatsApp Users in Brazil

Summary:
Trend Micro reports on 'Sorvepotel', a worm-like malware infecting WhatsApp users, primarily in Brazil.
Details:
- Spread via phishing messages with malicious ZIP attachments (desktop use required).
- Propagates via the WhatsApp web interface, causing infected accounts to be banned for spam.
- Goal appears disruptive, not data theft.
- 457/477 infections in Brazil; sectors impacted include government, public service, and more.
Quote:
- “Its purpose appears to be rapid spread and disruption rather than theft.” [05:25]

7. Renault UK Data Breach via Third-Party Supplier

Summary:
Renault UK notifies customers of a breach stemming from a third-party supplier compromise.
Details:
- Data accessed includes names, gender, contact info, and car info—not banking data.
- No specifics yet on the number of affected customers or scope.
Quote:
- “Attackers accessed their third party suppliers systems and made off with customer details…” [06:15]

8. Signal Strengthens Against Quantum Threats

Summary:
Signal updates its cryptography to defend against quantum computing-powered attacks.
Details:
- Implements the “sparse post Quantum Ratchet,” rotating encryption keys and discarding old ones.
- Ensures forward secrecy and post-compromise security for all users.
Quote:
- “A new cryptographic component designed to withstand quantum computing threats on its users conversations.” [06:53]

Notable Quotes & Memorable Moments

Steve Prentiss (re: ParkMobile settlement):
“The windfall for each of the victims is, wait for it, $1 in the form of an in app credit, which must be claimed manually and does come with an expiration date of next October.” [01:15]
On UK school vulnerability:
“Educational institutions are more likely to face a cyberattack or security breach than private businesses.” [02:04]
On Scattered Spider extortion:
"We remain engaged with affected customers to provide support.” [03:34]
On Pro APIs scraping operation:
“Because the software firm creates hundreds if not thousands of fake accounts daily, it is impossible to stop all of the activity.” [04:23]
On Sorvepotel malware:
“Its purpose appears to be rapid spread and disruption rather than theft.” [05:25]

Timestamps for Key Segments

ParkMobile Settlement: [00:07]–[01:45]
UK School Cyberattack Survey: [01:45]–[02:25]
Zimbra Calendar Vulnerability: [02:25]–[03:10]
Salesforce/Scattered Spider Incident: [03:12]–[04:01]
LinkedIn vs. Pro APIs Scraper: [04:05]–[04:46]
Sorvepotel WhatsApp Malware: [04:50]–[05:33]
Renault UK Data Breach: [05:36]–[06:16]
Signal and Quantum Security: [06:21]–[07:10]

Tone & Language

Steve Prentiss delivers news in a straightforward, slightly dry and witty tone—evident in remarking on the $1 ParkMobile compensation. The coverage is concise, factual, and designed for rapid consumption by industry professionals.

Conclusion

This episode provided a compact but thorough overview of significant cybersecurity incidents, legal actions, and new security technologies. The focus ranged from global attacks on educational institutions to the nitty-gritty of exploit techniques and class action outcomes, with expert commentary and up-to-the-minute context.

Loading summary

Transcript3 lines

[00:00]
A
From the CISO series, it's Cybersecurity Headlines.
[00:07]
B
These are the cybersecurity headlines for Monday, October 6, 2025. I'm Steve Prentiss. ParkMobile's 2021 Data Breach Class Action Suit concludes Good news for any victims of the 2021 park mobile breach. The class action lawsuit against the Atlanta based mobile and web parking payments platform has been wrapped up and the payments will now begin. This follows a cybersecurity incident that occurred in March 2021 in which account information for almost 22 million ParkMobile customers was released for free on a hacking forum. The lawsuit accused Parkmobile of failing to adequately protect user data, and the company denied any wrongdoing. The data leaked was mostly PII and license plate numbers, not financial or banking information. The windfall for each of the victims is, wait for it, $1 in the form of an in app credit, which must be claimed manually and does come with an expiration date of next October UK government study suggests Secondary schools are larger targets than Businesses According to this UK government survey conducted this time last year, educational institutions are more likely to face a cyberattack or security breach than private businesses, the report says six out of 10 secondary schools have suffered an attack or breach over the past 12 months, rising to 8 out of 10 for further education colleges and 9 out of 10 for higher education institutions. As a comparison, only 4 out of 10 businesses have faced a breach or attack. The researchers defined a cyber attack as an attempt to breach a target's IT systems. Phishing emails were identified as the most common Vector Zimbra collaboration suite flaw used in calendar attacks. This attack leverages a flaw with a CVE number, which is a cross site scripting vulnerability in ZCS 9.0, 10.0 and 10.1 versions of Zimbra. The flaw is used to deliver a JavaScript payload onto target systems, specifically ICS files, also known as iCalendar files. The vulnerability stems from insufficient sanitization of HTML content in the ICS files. Zimbra had addressed the security issue in January of this year, but researchers at StrikeReady discovered the attack after keeping an eye out four ICS files that were larger than 10 kilobytes and which included JavaScript code. Salesforce providing support to Scattered Spider victims. Salesforce has said it is quote, engaging with customers who are being extorted by cybercriminals through a recently created data leak site, end quote. This points to a recent new leak site posted by Scattered Spider, which listed dozens of large companies from whom the group claims to have stolen data through Salesforce. A Salesforce spokesperson has stated that there is no indication that the Salesforce platform has been compromised in any of these thefts, nor was this activity related to any known vulnerability in their technology. However, they said, we remain engaged with affected customers to provide support. End quote. Huge thanks to our sponsor ThreatLocker. Imagine having the power to decide exactly what runs in your IT environment and blocking everything else by default. That's what ThreatLocker delivers as a zero trust endpoint protection platform. ThreatLocker fills the gaps traditional solutions leave behind, giving your business stronger security and control. Don't just react to threats, stop them with ThreatLocker. LinkedIn Sues software company for scraping A lawsuit was launched on Thursday against software company Pro APIs as well as its CEO for allegedly running an operation charging customers up to $15,000 a month for scraped user data taken from LinkedIn, including posts, reactions and comments. The group allegedly achieved this by creating a network of millions of fake accounts. The Lawsuit adds that LinkedIn routinely detects pro APIs scraping within hours of IT beginning, but because the software firm creates hundreds if not thousands of fake accounts daily, it is impossible to stop all of the activity. Researchers warn of self spreading WhatsApp malware a new self spreading malware campaign called Sorvepotel that is S O R V E P O T E L is targeting Brazilian users through WhatsApp. According to Trend Micro, the malware spreads via phishing messages containing malicious zip attachments that users must open on a desktop, suggesting enterprise focused attacks. Once activated, Sorvitpotel propagates automatically through the WhatsApp web interface, causing infected accounts to be banned for excessive spam. Unlike ransomware or data stealing malware, its purpose appears to be rapid spread and disruption rather than theft. Of the 477 known infection, 457 are in Brazil affecting sectors including government, public service, manufacturing, technology, education and construction. Renault UK suffers cyber attack the UK branch of the French carmaker Renault is warning UK customers that their personal data may have been stolen due to a recent hack. Spokespeople for the company said attackers accessed their third party suppliers systems and made off with customer details including names, gender, phone numbers, email and postal addresses, and vehicle registration and identification numbers, but no bank details. Renault has not confirmed how many customers are affected, nor has it yet provided details about the scale of the theft or the identity of the breached supplier. Signal adds new cryptographic defense against quantum attacks Signal has announced this new cryptographic component designed to withstand quantum computing threats on its users conversations. It is called the sparse post Quantum Ratchet and this is a technology that continuously updates the encryption keys used in conversations while discarding the old ones. Signal, a non profit well known for its end to end encrypted messaging, guarantees forward secrecy and post compromise security. More details about the technology behind this is available in the link provided in the show Notes to this episode Just a reminder to join us this Friday at 3:30pm Eastern Time for our Week in Review show. Each time we meet, we break down the biggest cybersecurity stories of the week with some CISO perspective. And if you join us live on YouTube, you can get in on our chat, ask questions to our guests, and maybe even add a little snark to the whole proceedings. We would love it if you could join us this Friday at 3:30pm Eastern and if you share cybersecurity headlines with your team, let us know. We would love to know how you utilize this podcast in your work. Send your thoughts to us@feedbacksoseries.com we would love to hear from you. I'm Steve Prentiss reporting for the CISO series.
[07:47]
A
Cybersecurity headlines are available every weekday. Head to cisoseries.com, for the full stories behind the headlines.