Data Breach, CCPA, Oracle Attack & Patch Update – 10/15/2025

Today’s compliance digest features critical updates on data breaches, ransomware attacks, and evolving regulatory landscapes. Harvard University suffered a significant breach due to an Oracle zero-day, while Microsoft issued a massive patch update addressing actively exploited vulnerabilities. New CCPA risk assessment requirements and restrictions on private equity involvement in healthcare practices highlight the increasing complexity of compliance.

Top 5 Critical Compliance Alerts

• Harvard University Breached in Oracle Zero-Day Attack: The Clop ransomware group claimed responsibility for stealing Harvard’s data as part of a broader campaign against Oracle customers. Read more
• Microsoft Drops Terrifyingly Large October Patch Update: October 2025’s Patch Tuesday includes actively exploited zero-days and privilege-escalation bugs, ending Windows 10 updates. Read more
• China’s Flax Typhoon Turns Geo-Mapping Server into a Backdoor: Chinese APT threat actors compromised an organization’s ArcGIS server, modifying the geospatial mapping software for stealth access. Read more
• Pixnapping Attack Lets Attackers Steal 2FA on Android: A proof-of-concept exploit allows an attacker to steal sensitive data from Gmail, Google Accounts, Google Authenticator, Google Maps, Signal, and Venmo. Read more
• $49.99M Settlement Agreed to Resolve Class Action Data Breach Lawsuit Against Heritage Provider Network et al: A $49.99 million settlement has received preliminary approval from the court to resolve class action litigation against Heritage Provider Network. Read more

Compliance Frameworks

• What Is ISO/IEC 27006-1:2024 & What Changed in the 2024 (2025 Transition) Edition?: This standard governs how certification bodies (CBs) operate when auditing and certifying organizations for ISO 27001. Read more
• ISO 27001 for Non-IT Roles: A Beginner’s Guide: Understanding ISO 27001 is no longer optional for IT teams alone, as non-technical roles are increasingly involved in projects handling sensitive data. Read more

Regulatory Updates

• New CRS Regulations – What UK Investment Managers Need To Know: HMRC issued the International Tax Compliance (Amendment) Regulations 2025, introducing significant changes to the UK’s Common Reporting Standard (CRS) regime. Read more
• California Enacts SB 351: New Restrictions on Private Equity and Hedge Fund Involvement in Physician and Dental Practices: California Governor Gavin Newsom signed into law Senate Bill 351, strengthening restrictions on the corporate practice of medicine and dentistry in California. Read more
• Understanding the CCPA’s New Risk Assessment Requirements – Part 2: The California Privacy Protection Agency (CPPA) has approved significant updates to CCPA regulations, including a new obligation to conduct risk assessments. Read more
• AI Compliance Tips for Advisers: Investment advisers are exploring ways to leverage AI, introducing complex legal, regulatory, and fiduciary challenges. Read more

Third-Party Risk & Due Diligence

• Risk Management Software for Semiconductor Supply Chain Compliance: Ensuring Resilience and Regulatory Alignment: Semiconductor manufacturers face numerous risks due to the globally integrated and complex nature of their supply chains. Read more

Policy & Governance Updates

• Yes, You Can Fire an Employee for a Problematic Post, but Should You?: Considerations around firing an employee for problematic social media posts are discussed. Read more
• Are Your Hotline Metrics Telling the Board a Compelling Story?: Compliance leaders can use data visualization and storytelling to help boards grasp the significance of trends in hotline metrics. Read more