Security Squawk - The Business of Cybersecurity
Security Squawk - The Business of Cybersecurity
Bryan Hornung Reginald Andre & Randy Bryan
Security Squawk is a business podcast dedicated to helping business people fight the war against cyber criminals.
TSYS Ransomware Attack, Canvas Data Breach & HIPAA Security Failures Explained
A major U.S. payment processor just got hit by ransomware, again. TSYS, one of the largest payment processors in the country, has been attacked by the Everest ransomware group for the second time in five years. Industry experts warned this was coming. It happened anyway. At the same time, ShinyHunters claims it stole 275 million records from Instructure, the company behind Canvas, the learning platform used by over 9,000 schools. Names, student IDs, and billions of private messages between students and teachers are now at risk. And in healthcare, regulators just fined four companies $1.165 million for ransomware-related failures, not because they were hacked, but because they ignored basic security requirements that have been in place since 2003. In one case, attackers sat inside a network for 16 months undetected. These aren't advanced attacks. These are failures to do the fundamentals. This Week's Cybersecurity Breakdown 1. TSYS Ransomware Attack (Everest Group) A repeat breach at a major payment processor: Systems encrypted and data exfiltrated Second major incident in five years Also impacts Fiserv Raises serious questions about systemic risk in payment infrastructure 2. Instructure / Canvas Data Breach (ShinyHunters) Massive education sector exposure: 275 million records allegedly stolen Student data, IDs, and private communications compromised Root cause: Salesforce misconfiguration Potential impact across 9,000+ schools 3. HHS HIPAA Fines for Ransomware Failures Regulatory enforcement is accelerating: $1.165 million in fines across four companies Failure to complete required security risk assessments One breach went undetected for 16 months OCR has now completed 19 ransomware investigations with the same pattern The Bottom Line These attacks aren't breaking through defenses. They're walking through doors that were never closed. Misconfigurations Missing risk assessments Known vulnerabilities left unpatched This isn't a technology problem. It's an execution problem. Support the show: buymeacoffee.com/securitysquawk Subscribe for weekly breakdowns of real-world cyber threats, ransomware attacks, and executive-level security insights.
May 5
41 min
Hackers Use Microsoft Teams to Break In - VPN Ransomware Surge - KPMG 2026 Warning
A new type of cyberattack is bypassing every security tool you've invested in — and it starts with a simple Microsoft Teams message. No malware. No exploit. No zero-day. Just someone pretending to be IT support. At the same time, new data shows 73% of ransomware attacks are now entering through VPNs, and small businesses are absorbing an average of $422,000 per incident. Meanwhile, KPMG just released its 8 cybersecurity priorities for 2026, sending a clear message to executives: the biggest risk isn't technology — it's leadership. On this episode of Security Squawk, Bryan Hornung, Randy Bryan, and Reginald Andre break down three critical developments every business leader needs to understand right now. This Week's Cybersecurity Breakdown 1. Microsoft Teams Hack (UNC6692 Attack Campaign) Hackers are impersonating IT support inside Microsoft Teams to gain access to enterprise environments. No software vulnerability exploited Targets C-suite and senior leadership (77% of victims) Uses legitimate platforms like AWS and Heroku to evade detection 2. VPNs Are Now the Front Door for Ransomware (At-Bay 2026 Report) New insurance data reveals a sharp increase in ransomware attacks targeting VPN infrastructure: 73% of attacks originate through VPNs 60% of victims had EDR deployed — and still got hit SonicWall vulnerabilities linked to a significant percentage of attacks Average loss: $422,000 for SMBs 3. KPMG's 8 Cybersecurity Priorities for 2026 A strategic warning for boards, CEOs, and executives: AI is now an attack surface Non-human identities (APIs, service accounts) are a major blind spot Supply chain attacks are becoming the primary entry point Cybersecurity is no longer an IT issue — it's a leadership responsibility The Bottom Line The biggest cybersecurity gap today isn't technical. It's leadership. You can't patch employee trust You can't rely on tools without oversight You can't delegate cyber risk and expect protection If you're running a business, this is required awareness. Support the show: buymeacoffee.com/securitysquawk Subscribe for weekly breakdowns of real-world cyber threats, ransomware trends, and executive-level security insights.
Apr 28
41 min
Frost & Citizens Bank Ransomware | ShinyHunters Hit Zara, Carnival & 7-Eleven | Vercel Breach
The Everest ransomware group claims it has stolen 250,000+ Social Security Numbers and 3.4 million banking records from Frost Bank and Citizens Bank — and the leak countdown is already ticking. At the same time, ShinyHunters just executed coordinated attacks on Zara, Carnival, and 7-Eleven, while a Vercel breach tied to a compromised AI tool exposed how a single employee action can trigger a multi-million dollar data incident. This isn't theoretical cybersecurity risk — this is happening right now, and it directly impacts your business, your customers, and your exposure to AI-driven threats. On this episode of Security Squawk, Bryan Hornung, Randy Bryan, and Reginald Andre break down three major cyberattacks shaping the current threat landscape — and what leaders need to understand immediately. This Week's Cybersecurity Breakdown 1. ShinyHunters Cyberattacks (Zara, Carnival, 7-Eleven) One of the most aggressive data breach groups in the world targeted three global brands with a pay-or-leak ultimatum. Carnival: 8.7 million customer records stolen 7-Eleven: 600,000+ Salesforce records compromised Zara: breach originated through third-party vendor Anodot with cloud access 2. Everest Ransomware Attack (Frost Bank & Citizens Bank) A high-impact ransomware operation targeting major U.S. financial institutions: 380+ GB of stolen data posted to a dark web extortion site Includes SSNs, banking data, and unencrypted credit card numbers with CVVs Raises serious questions about data security standards in 2026 3. Vercel Data Breach via AI Tool (Context.ai) A textbook example of modern attack vectors: A single employee connected a compromised AI tool with “Allow All” permissions Attackers gained access to internal systems and are now selling the data for $2 million Highlights the growing risk of AI integrations in enterprise environments Why This Matters These incidents expose three critical realities: Third-party vendors are now primary attack surfaces Ransomware groups are escalating speed and scale AI tools are introducing new, poorly understood security risks If you run a business, manage IT, or rely on cloud platforms — this is required awareness. Support the show: buymeacoffee.com/securitysquawk Subscribe for weekly breakdowns of real-world cyber threats, ransomware attacks, and security leadership insights.
Apr 21
40 min
80 Banks Breached via Marquis Software Vendor Chain
A ransomware attack on one software vendor exposed 823,000 people's Social Security numbers and bank account data across 80 community banks — and those banks didn't find out for 74 days. That's just one of three stories on today's Security Squawk that show exactly how the vendor trust chain is failing businesses right now. Bryan, Randy, and Reginald break down: a brand-new extortion crew called UNC6783 that's been hitting "several dozen" high-value corporations — including an alleged Adobe breach of 13 million support tickets — by breaking into their outsourced call centers and help desks instead of the companies themselves. Then Microsoft's new research on the Medusa ransomware group (tracked as Storm-1175), which is exploiting zero-day vulnerabilities before patches even exist and can go from initial access to full ransomware deployment in under 24 hours. And finally, the full Marquis Software story: a fintech vendor breach that cascaded through 80 community banks, led to a ransom payment, and ended with Marquis suing their own firewall vendor SonicWall for gross negligence while defending 36+ consumer class action lawsuits. If you trust vendors with your customer data — and you do — this episode is about what happens when that trust gets broken.
Apr 14
49 min
FBI Hacked, Chemo Cancelled, 2.5M Hims & Hers Customers Stolen in One Call
Chinese state-linked hackers breached the FBI's own surveillance system — and they got in through a vendor. That's not a spy novel plot; that's a confirmed federal "major incident" declared at the highest severity level under FISMA, and it happened in 2024. That's just the opener. On this episode of Security Squawk, Bryan Hornung, Randy Bryan, and Reginald Andre cover three stories that show exactly what happens when third-party risk, healthcare IT gaps, and a single phone call aren't taken seriously enough. SALT TYPHOON HACKS THE FBI — China's Salt Typhoon threat group targeted a vendor ISP with access to the FBI's court-authorized wiretap surveillance system. The breach was classified as a FISMA "major incident," the federal government's highest severity designation. BROCKTON HOSPITAL CYBERATTACK — April 6, 2026: ambulances diverted, chemo cancelled, pharmacies closed, staff on paper records. The same hospital was breached in 2021. Average healthcare ransomware recovery: $2.5M, 19 days, 33% increase in patient mortality. HIMS & HERS VISHING ATTACK — 2.5 million subscribers. $2.35 billion in revenue. Gone through one phone call. ShinyHunters used a single vishing call to steal an Okta SSO credential and access Zendesk support tickets. CA AG notified. Class action filed. Support the show: buymeacoffee.com/securitysquawk
Apr 7
37 min
Cyber Claims Doubled, Sheriff's Office Wiped, Texas School District Offline
A ransomware attack walked in through one email, sat silent for two days, then destroyed every computer in an Indiana sheriff's office — and the FBI is still investigating. That's just one of three cybersecurity stories that every business owner needs to hear this week. On this episode of Security Squawk, Bryan Hornung, Randy Bryan, and Reginald Andre cover: CHUBB'S 2026 CYBER CLAIMS REPORT — The average cyber insurance claim for large businesses nearly DOUBLED in one year, jumping from $2.2 million to $4.4 million. That's a 586% increase since 2021. And with premiums projected to rise 15-20% in 2026, the cyber insurance market is about to get expensive — even for small and mid-size businesses. ALAMO HEIGHTS ISD CYBERATTACK — A San Antonio-area school district serving 5,400 students went completely offline. Wi-Fi down. Gmail down. Third-party forensic investigators brought in. 27 Texas school districts hit in two years — and $55 million in state grants existed to prevent this. Only one-third applied. JACKSON COUNTY SHERIFF'S OFFICE RANSOMWARE ATTACK — A dormant ransomware payload entered through a phishing email, waited 48 hours, then activated and spread across every connected system. "Anything that it touched, it corrupted so bad, it won't be able to be used again." The sex offender registry may be permanently lost. Support the show: buymeacoffee.com/securitysquawk
Mar 31
44 min
4.8M Cybersecurity Jobs Unfilled + 31% of Businesses w/ Backups Still Lost Their Data Are You Next?
31% of businesses that had backup solutions still failed to restore their data during a ransomware attack according to At-Bay's analysis of 186 real insurance claims. And if you think your business is safe because someone "set up backups," you need to watch this. Meanwhile, there are 4.8 million unfilled cybersecurity jobs globally right now and 61% of midsize businesses have zero dedicated security staff on payroll. Bryan Hornung and Reginald Andre break down exactly how bad the staffing gap has gotten (ISC2's 2025 Cybersecurity Workforce Study shows the pipeline shrank from 31% growth in 2022 to just 12% in 2024), why your IT person is being set up to fail, and how much a single mid-level security analyst actually costs vs. what an MSSP can deliver at the same price. Then they go straight at the backup crisis: the 25-point confidence gap between what IT teams believe about recovery and what At-Bay, Sophos, and Spiceworks data actually show. Ransomware attackers are targeting your backup repositories first before they trigger the main attack. The average business is down 24 days after a ransomware hit, with average recovery costs of $1.53 million. For a business under 500 employees, that can be existential. This episode is for every business owner who has ever said "we have backups" or "IT handles security" and hasn't verified either of those statements. Support the show: buymeacoffee.com/securitysquawk
Mar 24
46 min
DigitalMint Negotiator Was the Attacker | Stryker Wiper | OT Crisis
A ransomware negotiator at DigitalMint secretly ran the attacks he was being paid to stop and then negotiated ransoms on behalf of the companies he'd just hit. This week on Security Squawk, we break down $75 million in extorted ransoms, an Iranian hacker group that destroyed 80,000 Stryker devices in three hours without using any malware, and a new Ponemon Institute survey showing 77% of industrial companies got breached in the past year. DigitalMint: Angelo Martino, a ransomware negotiator at Chicago-based cybersecurity firm DigitalMint, has been charged with running at least 10 ransomware attacks using the BlackCat/ALPHV gang while simultaneously negotiating ransoms for his own victims. Five companies he attacked then hired DigitalMint and were assigned Martino as their negotiator. Ransoms totaled $75.25 million. Two co-conspirators, including another DigitalMint negotiator and an employee at rival firm Sygnia, already pleaded guilty in December. Stryker: On March 11, the Iran-linked hacktivist group Handala wiped approximately 80,000 employee devices at medical device giant Stryker using Microsoft Intune, the same device management tool your IT team uses every day. No malware. No ransomware. Just a compromised admin account and a "remote wipe" command. OT Security Survey: A new Ponemon Institute survey commissioned by Siemens Energy found 77% of organizations running operational technology factories, pipelines, utilities, industrial control systems were breached in the last 12 months. 41% of attacks go completely undetected. Recovery takes seven months on average. Support the show: buymeacoffee.com/securitysquawk
Mar 17
46 min
Cognizant TriZetto 3.4M Patient Breach, AkzoNobel Ransomware & AI Hacked Mexico's Government
A hacker used an AI chatbot to break into 10 government agencies and steal records on 195 million people — without writing a single line of code. Meanwhile, Cognizant's TriZetto healthcare billing platform sat silently compromised for over a year while 3.4 million patients' data walked out the door. This week on Security Squawk, Bryan Hornung, Randy Bryan, and Reginald Andre break down four stories that will change how you think about cybersecurity risk in 2026. COGNIZANT TRIZETTO + UMMC TriZetto Provider Solutions — a Cognizant company that processes medical billing for thousands of doctors and hospitals — was breached in November 2024. The company didn't discover it until November 2025. One full year. In that time, 3,433,965 patients had their Social Security numbers, Medicare IDs, birth dates, and health insurance details exposed. And in parallel: UMMC was hit by ransomware in February 2026 — shutting down all 35 of its statewide clinics for nine days, canceling surgeries, and sending doctors back to pen and paper. AKZONOBEL AkzoNobel — the $12 billion paint giant behind Dulux — confirmed that the Anubis ransomware gang stole 170GB of data from one of its U.S. sites. Passport scans, private emails, confidential client agreements. They called it "contained." The data is already public. AI AND THE MEXICO GOVERNMENT HACK Fewer than five people used Claude Code AI to breach 10 Mexican government agencies. 150 GB stolen. 195 million identities exposed. The AI initially said no. The attacker talked it into cooperating anyway. The cost of entry for a sophisticated cyberattack just became the price of an AI subscription. [00:00] Intro [02:30] Cognizant TriZetto: 3.4M Patients, 1 Year of Silence [11:00] UMMC: 9-Day Clinic Shutdown Update [15:30] AkzoNobel: "Contained" Means Nothing When the Data Is Already Gone [21:00] Claude Code and the Mexico Hack: AI Just Became a Weapon Anyone Can Afford [27:00] Wrap-Up Support the show: buymeacoffee.com/securitysquawk
Mar 10
41 min
Vendor Failures, Ransomware Leverage, and Legacy Data Risk
This week's Security Squawk episode isn't about phishing. It's about structural weakness. Three separate incidents. Three different industries. One uncomfortable pattern: the systems organizations trust most are expanding risk quietly — and in some cases, architecturally. First, a lawsuit that should make every board member pay attention. Marquis Software Solutions, a fintech serving 74 U.S. banks, is suing SonicWall. The allegation centers on SonicWall's cloud backup system, where firewall configuration backups were allegedly accessible and contained credentials — including MFA scratch codes. Those backups were reportedly used to compromise Marquis, leading to a ransomware incident and downstream exposure. What began as a scoped 5% customer exposure was later reported as potentially impacting all customers. This is not a misconfigured endpoint. This is a control-plane failure. For CEOs, this reframes vendor risk. It's no longer a questionnaire exercise. It's a litigation vector. If a security provider's design exposes authentication artifacts, your internal diligence may not matter. The liability chain now includes vendors and MSPs in a very direct way. For IT Directors, the operational question is simple: what exactly is inside your firewall backups? Are reusable authentication artifacts stored? Who can access vendor-hosted exports? If attackers obtain your configuration backups, can they replay your defenses? For MSPs, the exposure is real. If you manage firewall exports or MFA deployments, you are part of the architecture. And potentially part of the courtroom. Then we shift to UFP Technologies, a medical device manufacturer. Intrusion detected. Billing and shipping label systems disrupted. Data stolen or destroyed. Insurance expected to offset financial impact. But this isn't primarily a data story. Attackers disrupted order-to-cash and fulfillment velocity. In healthcare supply chains, slowing billing and labeling can create immediate executive escalation without touching the factory floor. Modern ransomware groups increasingly target business process choke points — ERP, labeling, scheduling — because leverage doesn't require full encryption anymore. For CEOs, “no material impact expected” is accounting language. Customers measure impact in delayed shipments. For IT leaders, the question becomes operational: can billing, labeling, and fulfillment functions recover independently? Are those systems segmented? Tested? Immutable? For risk managers and insurers, this represents a shift in underwriting focus — from endpoints to process resilience. Finally, the University of Hawaiʻi Cancer Center ransomware incident. Roughly 87,000 study participants directly impacted. But historical datasets, including Social Security numbers collected from driver's license and voter registration data dating back to 1998, expanded potential exposure to nearly 1.2 million individuals. They engaged the threat actors. They received a decryptor. They received “assurances” that data was destroyed. That's not verification. That's negotiation. The uncomfortable truth: legacy identity data becomes modern ransom currency. Research environments often have weaker governance than clinical systems, yet they can contain decades of sensitive identifiers. For boards, the issue isn't just security posture. It's data retention discipline. What obsolete identity data are you still holding? Why? For how long? And who owns the risk? Across these stories, three themes emerge: Control-plane trust is fragile. Operational choke points are the new leverage strategy. Data retention is compounded liability. Cybersecurity is no longer just about stopping intrusion. It's about architectural accountability and governance maturity. If you value independent, executive-level analysis without vendor spin, support the show at: buymeacoffee.com/securitysquawk The real question is this: Are your greatest cyber risks coming from external attackers — or from design decisions you haven't revisited in years?
Mar 3
31 min
Load more