ADT data breach, Toronto SMS blasting, pre-Stuxnet malware discovery

From the CISO series, it's Cybersecurity Headlines. These are the Cybersecurity Headlines for Monday, April 27th, 2026. I'm Steve Prentice. ADT says customer data stolen in cyber attack. The home security company ADT stated that Monday's breach resulted in a limited set of customer and prospective customer information. This consists of basic PII and no payment data was stolen. An ADT spokesperson said, Customer security systems were not affected or compromised in any way. This past Thursday, the Shiny Hunters group claimed to have stolen 10 million records and threatened to leak the data if a ransom was not forthcoming. SMS blasting comes to Toronto. So, we have reported on SMS blasting before, but not in North America. SMS blasters operate by mimicking legitimate cellular base stations, effectively tricking nearby phones into connecting to them instead of official mobile networks, and are often fitted into cars, allowing cybercriminals to drive through densely packed cities and capture thousands of active cell numbers in order to blast out spam messages. Now, police in Canada's largest city have arrested three men in the country's first known criminal case of this type. The investigation leading to the arrest began last November after being alerted to a suspicious device operating in downtown Toronto. Over the following months, quote, police tracked the device moving through several locations across the greater Toronto area, and two suspects were arrested in March, end quote. Authorities seized a large amount of electronic equipment, including several mobile SMS blasters, and a third person turned themselves in to police last week. Microsoft Windows Insider Program gets an overhaul The revamped program has been announced as part of broader plans to address reliability concerns in Windows 11 The Windows Insider Program is a beta testing program that allows members to test early Windows releases and provide feedback. Addressing the complaint that it had not really listened to all the feedback from testers, Microsoft is now making the program simpler and more transparent in the hope that it will help with the development of Windows 11. In its blog post, the company admitted that the current channel structure is confusing. New extortion group linked to surge of vishing attacks This new and financially motivated hacking group known as Blackfile has been linked to a wave of data theft and extortion attacks against retail and hospitality organizations since February of this year. According to Palo Alto Network's Unit 42, working with the Retail and Hospitality Information Sharing and Analysis Centre, the gang's members impersonate corporate IT helpdesk staff to steal employee credentials. Unit 42 says this gang is likely linked to The Com, which is a network of cybercriminals known for targeting and recruiting young people for extortion, violence and other crimes. In this wave, the attackers use voice-based phishing, that's vishing, from spoofed VoIP numbers or fraudulent caller ID names as a social engineering technique. Huge thanks to our sponsor, GuardSquare. Mobile app security isn't just a tech issue, it's a revenue issue. A recent global study found that 72% of organizations experienced a mobile app security incident last year. And even worse, 65% saw customer churn or uninstalls as a result. Protect your brand and your bottom line with layered mobile app protection. You can learn more at guardsquare That is G Guardsquare Zion Siphon Water Infrastructure Threat Holds No Water Following up on a story we covered last week, the malware called Zion Siphon, first identified by AI cybersecurity firm Darktrace, and described as targeting operational technology and industrial control system environments in Israel's water infrastructure might not be anything more than hype. A malware analyst at Dragos called the malware nothing more than hype, stating that, quote, whoever wrote the malware appears to have little knowledge of how operational technology works at Israeli water plants, end quote. It appears the developers, quote, used AI to generate significant portions of the code, leading to hallucinations, guesses, and errors, and was so riddled with logic errors and invalid assumptions that Dragos says it would have been inoperable. The company adds there are publicly less than 10 malware samples capable of threatening industrial control systems, and Zion Siphon is not one of them. Researchers find pre-Stuxnet malware targeting engineering software. Researchers at SentinelOne have published a report on a new Lua-based malware that had been created years before the famous Stuxnet worm that had aimed to sabotage Iran's nuclear program by destroying uranium enrichment centrifuges. This previously undocumented cyber-sabotage framework dates back to 2005 and primarily targeted high-precision calculation software to tamper with results. It has been codenamed FAST-16. It also precedes the earliest known samples of Flame, also known as Flamer and Skywiper, making it the first strain of Windows malware Carnival Cruise Lines suffers breach and extortion. Troy Hunt Have I Been Pwned has potentially identified 7 million unique email addresses belonging to a subsidiary of the world largest cruise company The addresses appear to relate to the Mariner Society loyalty program run by Holland America Line, which is a subsidiary of Carnival Corporation. The exposed data includes names, dates of birth, genders, and membership status details, the type of personal data that attackers can easily repurpose for fraud or phishing. Carnival has acknowledged a security incident and meanwhile the Shiny Hunters extortion crew published what it claims as quote terabytes of internal corporate data end quote after negotiations with the cruise line failed Microsoft now lets admins uninstall Copilot on enterprise devices IT administrators can now uninstall the AI-powered Copilot digital assistant from enterprise devices using a new policy setting which became available after the April 2026 patch Tuesday. It's called Remove Microsoft Copilot App, and is available as a policy CSP and group policy after deploying this month's Windows security updates on endpoints managed via Microsoft Intune or System Center Configuration Manager. This policy will only apply to Windows 11.25H2 devices where the Microsoft 365 Copilot and Microsoft Copilot are both installed. the user did not install the Microsoft Copilot app, and the Microsoft Copilot app was not launched in the last 28 days. Got that? If you have some thoughts on the news from today or about this show in general, please be sure to reach out to us at feedback at cisoseries.com. We would love to hear from you. I'm Steve Prentiss, reporting for the CISO Series. Cybersecurity headlines are available every weekday. Head to CISOseries.com for the full stories behind the headlines.