Human Risk Roundup: A leak, a zero-day, a ban, and a breach

In this edition of the Human Risk Roundup, we explore some recent news events that highlight how threats continue to come at cybersecurity teams from all angles. With security leaks happening at the highest levels of government, trusted legacy products like SharePoint Server still being exploited with new vulnerabilities, a potential new ban on ransomware payments in the UK possibly requiring new reporting from organizations, and well-known brands still falling victim to breaches, cybersecurity professionals continue to find themselves pulled in too many directions. Read more about how the latest news in human risk could impact your organization.

DOGE denizen Marko Elez leaked API key for xAI

Marko Elez, a DOGE employee, accidentally exposed a private API key for xAI's large language models on GitHub, raising concerns about operational security and his access to sensitive government databases. Despite the key being flagged and the repository removed, the key remains active, highlighting systemic negligence and security lapses within the organization.

What happened

The private API key for xAI, Elon Musk’s AI company, that was exposed by Elez on GitHub granted access to over 50 large language models, including the latest "grok-4-0709," used in xAI's generative AI chatbot, Grok. The leak was flagged by GitGuardian, a company specializing in detecting exposed secrets, but the key has not yet been revoked.

Elez has a controversial history, including prior security violations and allegations of racism, yet was reinstated to DOGE through political lobbying. This incident raises concerns about operational security and the handling of sensitive government and AI data. 

Why it matters

This is a significant cybersecurity lapse. This breach granted unauthorized access to 52 LLMs, including those integrated into sensitive systems like Grok, used by the Department of Defense. The incident underscores the risks of poor operational security practices, especially when handling sensitive government and AI-related data. It also raises concerns about the broader security culture within organizations like DOGE, given repeated similar breaches.

For cybersecurity personnel, this serves as a stark reminder of the importance of robust key management, pre-commit secret scanning, and immediate revocation of compromised credentials. The event also emphasizes the need for stricter vetting and training of individuals with access to critical systems.

Four practical tips for security leaders

Use tools like GitGuardian to scan code repositories for exposed secrets, such as API keys, before they are committed.

Ensure API keys are not hardcoded into scripts and are stored securely.

Train all personnel with access to sensitive systems on the importance of operational security, including the handling of classified information.

Address repeated security lapses as signs of systemic issues rather than isolated mistakes.

Read more about the leak.

Microsoft fix targets attacks on SharePoint zero-day

Microsoft released an emergency patch for a critical SharePoint Server vulnerability (CVE-2025-53770) actively exploited by hackers to breach U.S. federal agencies, universities, and energy companies. The flaw, which allows attackers to install a backdoor called "ToolShell" for remote access, requires immediate action beyond patching, including rotating machine keys and isolating affected servers.

What happened

On July 20, 2025, Microsoft released an emergency security update to address a critical vulnerability in SharePoint Server, which has been actively exploited by hackers. The vulnerability is a variant of a previously patched issue, but the earlier fix was incomplete, leaving systems exposed. Researchers discovered widespread exploitation of the flaw, with attackers stealing ASP.NET machine keys to facilitate further attacks.

Microsoft has issued patches for some SharePoint versions but is still working on updates for others, urging organizations to take immediate protective measures. CISA recommends enabling anti-malware scanning, deploying Microsoft Defender, and isolating affected servers from the Internet.

Why it matters

This is a critical cybersecurity issue involving a zero-day vulnerability underscoring the importance of timely patch management, as Microsoft's initial fixes were insufficient. Cybersecurity teams must act swiftly by applying the latest patches, rotating machine keys, and implementing additional defenses like anti-malware scanning and disconnecting vulnerable servers.

The incident also emphasizes the need for proactive threat monitoring, as attackers are leveraging previously patched vulnerabilities in exploit chains. This serves as a reminder of the evolving nature of cyber threats and the necessity for continuous vigilance and layered security measures.

Four practical tips for security leaders

Ensure that all SharePoint Server systems are updated with the latest patches provided by Microsoft.

Rotate SharePoint server ASP.NET machine keys and restart IIS on all SharePoint servers.

Activate the Anti-Malware Scan Interface (AMSI) in SharePoint and deploy Microsoft Defender Antivirus on all SharePoint servers to enhance detection and prevention capabilities.

Disconnect affected SharePoint servers from the public-facing Internet until they are fully patched and secured.

Read more about the attack.

UK to ban public sector orgs from paying ransomware gangs

The UK government plans to ban public sector and critical infrastructure organizations, including local councils and the NHS, from paying ransoms to ransomware gangs to disrupt the cybercriminal business model and protect essential services. Additionally, businesses outside the ban's scope must notify the government before making ransom payments, and a mandatory reporting system is being developed to aid law enforcement in tracking attackers and supporting victims.

What will happen

This measure aims to disrupt the business model of cybercriminals and reduce the attractiveness of targeting vital public services. Even businesses outside the ban's scope will have to take the time to notify the government via the new mandatory reporting system before making any ransom payments.

The hope is this will ensure compliance with laws against funding sanctioned groups. The decision follows a public consultation earlier this year, highlighting ransomware as the UK's greatest cybercrime threat and a national security risk. Recent high-profile ransomware attacks on organizations like the NHS and Marks & Spencer underscore the urgency of these measures.

Why it matters

Cybersecurity personnel must adapt to this shift by focusing on prevention, incident response, and recovery strategies, as paying ransoms will no longer be an option. The mandatory reporting system accompanying the ban will provide law enforcement with valuable data to track attackers and support victims.

This move underscores the growing recognition of ransomware as a national security threat, requiring robust defenses and collaboration between public and private sectors. For cybersecurity teams, this policy change highlights the need for proactive measures and resilience planning to mitigate operational and financial risks.

Four practical tips for security leaders

Prioritize robust cybersecurity measures, such as regular system updates, employee training, and advanced threat detection systems.

Implement a system for mandatory reporting of ransomware incidents to law enforcement.

Align with policies discouraging ransom payments to cybercriminals and instead, focus on recovery strategies and ensure backups are secure and untampered.

Seek guidance from government bodies when considering actions like ransom payments, especially to avoid violating laws related to sanctioned groups.

Read more about the ban.

Louis Vuitton confirms Australia data breach following multiple breaches elsewhere

Louis Vuitton experienced a data breach on July 2, 2025, compromising sensitive personal data, including names and contact information, of Australian customers, as well as customers in Hong Kong, Turkey, South Korea, and the UK. While the breach affected over 419,000 individuals globally, the company confirmed that no financial or password information was compromised and has taken measures to contain the incident and cooperate with authorities.

What happened

The breach involved unauthorized access to the company's internal network, leading to the theft of customer information such as names, contact details, and other personal data. However, Louis Vuitton confirmed that no financial information, such as credit card or bank account details, was compromised.

The company took immediate technical measures to contain the breach and is cooperating with authorities, including notifying privacy regulators like the Office of the Privacy Commissioner for Personal Data in Hong Kong. Louis Vuitton has reassured customers of its commitment to addressing the issue and preventing future incidents.

Why it matters

The Louis Vuitton data breach highlights critical challenges for cybersecurity personnel, emphasizing the importance of robust defenses against unauthorized access to sensitive information. This incident underscores the growing sophistication of cybercriminals and the need for proactive measures to detect and mitigate threats before they escalate.

For cybersecurity teams, the breach serves as a reminder of the importance of rapid incident response, as Louis Vuitton's containment efforts and cooperation with authorities demonstrate. Additionally, the global scale of the breach highlights the necessity of compliance with diverse data protection regulations across jurisdictions. 

Four practical tips for security leaders

Regularly monitor internal networks for unauthorized access and unusual activity to detect breaches early.

Ensure technical measures are in place to immediately contain breaches, such as blocking unauthorized access.

Notify affected customers and relevant authorities promptly, providing clear information about the breach and steps being taken.

Periodically review and update security protocols to address vulnerabilities, especially considering repeated incidents across multiple regions.

Read more about the breach.