Welcome back to Metacurity after a two-week hiatus!

I would love to say that during my Metacurity hiatus, I was off somewhere lovely or exciting, taking a break from cybersecurity. But in reality, I was busy writing about cybersecurity, first by writing for CSO Online, which resulted in a series of pieces you might want to read. These pieces, in reverse chronological order, are:

• Whistleblower: DOGE put Social Security database covering 300 million Americans on insecure cloud
• Storm-0501 debuts a brutal hybrid ransomware attack chain
• Behind the Coinbase breach: Bribery emerges as enterprise threat
• Russia-linked European attacks renew concerns over water cybersecurity
• Agentic AI promises a cybersecurity revolution — with asterisks

Secondly, during the Metacurity hiatus, I also drafted four new chapters of my upcoming book, currently titled The NIST 2.0 Cybersecurity Framework: Practical Risk Management Using Real-World Incidents, which is a follow-on (but not a second edition) to my first book, Cybersecurity Risk Management: Mastering the Fundamentals Using the NIST Cybersecurity Framework. Keep your eyes peeled for the publication of this book by Wiley later this year or early in 2026.

And now, Metacurity is back, but I’m shaking things up a little bit by giving access to Metacurity’s full content two days a week – Tuesdays and Thursdays – to only paid subscribers. I will strive to make this new arrangement more attractive with content you can't find anywhere else on those two days, along with Metacurity's usual rundown of daily content aggregated from across the web and cogently summarized.

If you’ve been toying with the idea of signing up for a paid subscription, today is a good day to subscribe. Your subscription will help keep Metacurity going and enable me to continue delivering the daily updates you enjoy. Thank you.

More on DOGE and that insecure database at SSA…

On August 26, Chuck Borges, the Chief Data Officer (CDO) at the Social Security Administration (SSA), filed a whistleblower complaint alleging that the agency mishandled the security of a massive database called Numerical Identification System (NUMIDENT), which contains extensive personal information on 450 million Americans and eligible noncitizens. Borges argues that by shortcutting the government’s normal security process, SSA has left this data vulnerable to theft that could go unnoticed by the government due to the lack of proper controls.

Borges contends, as outlined in my CSO piece, that a group of Musk-connected DOGE workers copied a live version of the NUMIDENT database to their own private AWS instance within SSA’s Amazon Web Services agency cloud infrastructure. The new database did not seemingly comply with security controls mandated under the Federal Information Security Management Act (FISMA), or at least the folks looking to move NUMIDENT failed to answer any questions about whether they followed the requisite security protocols when they copied NUMIDENT to a new database, according to Borges.

Under FISMA, federal agencies must apply a risk assessment process involving security controls developed by NIST for any federal system that processes, stores, or transmits information. The application of these controls involves a complex, multifaceted process that involves applying and documenting rigorous security and privacy engineering principles and practices that are reviewed by outside experts and continuously monitored according to a risk management plan.

Experts say that meeting the FISMA requirements takes at least six months and involves multiple parties to sign off before SSA can obtain the required Authorization to Operate (ATO) needed to fully protect the spun-off NUMIDENT database. In an unusual move, the DOGE team assigned itself a provisional ATO, with SSA CIO Aram Moghaddassi, who had worked for Elon Musk before joining the government, stating, “I have determined the business need is higher than the security risk associated with this implementation and I accept all risks associated with this implementation and operation.”

Borges says there is no evidence that the DOGE workers underwent all the required security protection measures. SSA spokesperson Nick Perrine told the New York Times that the database created by DOGE is “walled off from the internet.”