CyberSecurity news
FlagThis - #dataBreach
|
Pierluigi Paganini@Security Affairs
//
McLaren Health Care, a nonprofit healthcare organization based in Grand Blanc, Michigan, is notifying over 743,000 individuals of a significant data breach. The breach, stemming from a ransomware attack that occurred in July 2024, involved unauthorized access to the healthcare provider's systems. The incident was discovered on August 5, 2024, after McLaren detected suspicious activity on its and Karmanos Cancer Institute’s computer systems.
Following the discovery, McLaren Health Care launched an investigation with the assistance of third-party forensic specialists to secure their network and determine the nature and scope of the activity. The investigation revealed that unauthorized access to the network occurred between July 17, 2024, and August 3, 2024. A comprehensive forensic review of the potentially impacted files concluded on May 5, 2025, confirming that personal and protected health information was compromised. The INC ransomware gang was identified as the cause of the breach. The compromised information may include names, Social Security numbers, driver’s license numbers, medical information, and health insurance details. McLaren Health Care is providing impacted individuals with 12 months of free credit monitoring services and guidance on protecting themselves against fraud and identity theft. Written communications outlining the nature of the breach and the steps being taken were sent directly to the affected individuals. As of June 20, 2025, written notification has been issued to those affected by this data breach. Recommended read:
References :
@kirbyidau.com
//
MKA Accountants, a Victorian accounting firm, has confirmed it fell victim to a ransomware attack by the Qilin group. The incident, which occurred in May 2025, resulted in the publication of sensitive company documents on Qilin's leak site. The stolen data included internal correspondence, financial statements, and insurance information, highlighting the severity of the breach and the potential impact on the firm's operations and client relationships. This attack underscores the growing threat posed by ransomware groups to organizations of all sizes, regardless of their industry.
The Qilin ransomware group has been rapidly gaining prominence in the cybercrime landscape. As established players like RansomHub and LockBit face internal turmoil and operational setbacks, Qilin has emerged as a technically advanced and full-service cybercrime platform. Recent reports indicate that Qilin is actively recruiting affiliates, possibly absorbing talent from defunct groups, and bolstering its capabilities to conduct sophisticated ransomware attacks. This rise in prominence positions Qilin as a major player in the evolving ransomware-as-a-service (RaaS) ecosystem, posing a significant threat to businesses worldwide. To further pressure victims into paying ransoms, Qilin now offers a "Call Lawyer" feature within its affiliate panel. This addition aims to provide affiliates with legal counsel during ransom negotiations, potentially intimidating victims and increasing the likelihood of payment. Furthermore, Qilin provides other services to help affiliates maximize their success. This includes spam services, PB-scale data storage, a team of in-house journalists, and even the ability to conduct distributed denial-of-service (DDoS) attacks, positioning Qilin as a comprehensive cybercrime operation and increasing it's market share. Recommended read:
References :
@www.oxford.gov.uk
//
Oxford City Council has suffered a cyberattack resulting in the potential exposure of personal data relating to election workers. The incident, which occurred the weekend of June 7th and 8th, involved unauthorized access to the council's network. Automated security systems detected and contained the intrusion, minimizing the attackers' access to systems and databases.
As a precaution, the council took down its main systems to conduct thorough security checks. Most systems are now safely operational, with the remainder expected to be back online shortly. While email systems and wider digital services remain secure, the attackers managed to access historic data on legacy systems, specifically impacting individuals who worked on Oxford City Council-administered elections between 2001 and 2022, including poll station workers and ballot counters. The council has stated that there is no evidence to suggest the accessed information has been shared with third parties, and investigations are ongoing to determine the precise nature and extent of the data compromised. Impacted individuals have been contacted, and the council has reported the incident to relevant government authorities and law enforcement agencies, assuring the public that actions have been taken to prevent further unauthorized access and that a full investigation is underway. Recommended read:
References :
@cyberscoop.com
//
References:
thecyberexpress.com
, eSecurity Planet
,
Aflac Incorporated, the insurance giant, has confirmed a cybersecurity incident that occurred on June 12, 2025. The company detected suspicious activity on its US network and promptly initiated its cyber incident response protocols, successfully stopping the intrusion within hours. According to Aflac's official disclosure, their systems were not affected by ransomware, ensuring business operations such as underwriting, claims processing, and customer support remain uninterrupted. However, Aflac warns that sensitive customer information may have been exposed during the breach.
Preliminary findings indicate that the unauthorized party used sophisticated social engineering tactics to gain access to Aflac's network. This method often involves tricking individuals into revealing sensitive information or granting access. Aflac has engaged leading third-party cybersecurity experts to assist with the ongoing investigation. CNN, citing sources familiar with the investigation, reported that this incident, along with others recently affecting the insurance sector, is consistent with the techniques of a cybercrime group known as “Scattered Spider.” Aflac acknowledged the broader context of the attack, stating, "This attack, like many insurance companies are currently experiencing, was caused by a sophisticated cybercrime group." The review of potentially impacted files is still in its early stages, and Aflac has not yet determined the total number of individuals affected. However, the company has indicated that the compromised files may contain sensitive information. The Aflac breach is the latest cyberattack against the insurance industry. Recommended read:
References :
Dissent@DataBreaches.Net
//
A massive collection of 16 billion login credentials has been discovered, representing one of the largest data thefts in history. Cybernews reports that the exposed data likely originates from various infostealers, malicious software designed to gather sensitive information from infected devices. Researchers have uncovered 30 exposed data sets containing millions to over 3.5 billion records each, totaling the astounding 16 billion credentials. These datasets include logins for major platforms like Apple, Google, Facebook, and Telegram, raising significant concerns about widespread account compromise.
Researchers noted that these datasets were not simply recycled from old data leaks but represent new, potentially "weaponized" information. The exposed data contains a mix of details from stealer malware, credential stuffing sets, and repackaged leaks. While it was not possible to compare data between the different sets effectively, the sheer volume and the platforms targeted highlight the severity of the situation. The data sets were only exposed for a short period and it remains unknown who controlled the large amount of data. The exposure of these 16 billion credentials poses a significant risk of account takeovers, identity theft, and targeted phishing attacks. Cybercriminals now have access to an unprecedented volume of personal data. Users are advised to take immediate action to protect their accounts, including enabling multi-factor authentication and using strong, unique passwords for all online services. News sources indicate that this is not a new data breach but is rather a compilation of previously leaked credentials. Recommended read:
References :
@www.healthcareitnews.com
//
References:
www.comparitech.com
, www.healthcareitnews.com
The healthcare sector has been rocked by a recent ransomware attack on Episource, a medical coding, risk adjustment services, and software company. The breach, which occurred in February 2025, resulted in the compromise of sensitive patient health information. According to reports, unauthorized access to Episource's computer systems allowed cybercriminals to view and copy data belonging to the company's healthcare provider and health plan customers. The exposed information includes personal contact information, health insurance plan data, medical diagnoses, test results, and images, raising serious concerns about patient privacy and security.
Sharp Community Medical Group and Sharp Healthcare, Episource clients, have confirmed that patient data was compromised in the attack. While the incident did not involve unauthorized access to electronic health records or patient portals, the exposed data includes health insurance information and health data, such as medical record numbers, doctors, diagnoses, medications, test results, images, care, and treatments. Episource began notifying affected customers about which individuals and specific data may have been involved starting on April 23, 2025. Sharp Healthcare has also started sending out patient breach notifications. This incident highlights the increasing vulnerability of healthcare organizations to ransomware attacks. Microsoft reports that 389 healthcare companies have been hit by ransomware this year alone, resulting in network shutdowns, offline systems, rescheduled appointments, and delays in critical procedures. The financial impact is significant, with healthcare organizations losing up to $900,000 per day on downtime. Experts emphasize the importance of strengthening cybersecurity measures, including employee training and awareness programs, to protect sensitive patient data and mitigate the risk of future attacks. Episource is working to strengthen its computer systems and has notified law enforcement. Recommended read:
References :
@www.healthcarefinancenews.com
//
References:
cyble.com
, cybersecurityventures.com
,
Ransomware groups are continually evolving their tactics, posing an increasing threat to organizations worldwide. Recent reports highlight the exploitation of vulnerabilities in software and the use of sophisticated techniques, such as abusing legitimate employee monitoring software, to breach systems. A Symantec report revealed the discovery of Fog Ransomware, showcasing the attackers' innovative use of tools, including a legitimate security solution (Syteca) capable of recording on-screen activity and monitoring keystrokes, which they deployed using PsExec and SMBExec.
The Cybersecurity and Infrastructure Security Agency (CISA) issued Advisory AA25‑163A, warning of ransomware actors exploiting CVE-2024-57727 in unpatched SimpleHelp Remote Monitoring and Management (RMM) software, specifically versions 5.5.7 and earlier. This vulnerability allowed attackers to compromise a utility billing software provider and initiate double-extortion attacks. The attacks targeting unpatched SimpleHelp deployments have been observed since January 2025, indicating a sustained and targeted effort to exploit this vulnerability. In addition to software vulnerabilities, data breaches are also occurring through direct hacks. Zoomcar, an Indian car-sharing company, recently acknowledged a data breach affecting 8.4 million users, where hackers accessed customer names, phone numbers, car registration numbers, personal addresses, and emails. While sensitive information like passwords and financial details were reportedly not exposed, the breach raises concerns about the security of personal data stored by such platforms. Furthermore, the DragonForce group has started posting new victims to their darknet site, publicly extorting two new organizations, highlighting the continued use of double extortion tactics by ransomware groups. Recommended read:
References :
Bill Toulas@BleepingComputer
//
The Texas Department of Transportation (TxDOT) is alerting the public to a significant data breach that compromised nearly 300,000 crash records. The incident, discovered on May 12th, 2025, involved unauthorized access to its Crash Records Information System (CRIS). Texas officials revealed that a hacker gained entry through a compromised user account and proceeded to download a large volume of sensitive data. This data included personally identifiable information such as names, addresses, driver's license numbers, license plate numbers, and car insurance policy numbers.
The compromised crash reports contain detailed information about individuals involved in traffic accidents, including summaries of injuries sustained during the crash and narratives of the incidents. While TxDOT is not legally obligated to notify the public, it has chosen to proactively inform those affected by sending letters to individuals whose information was included in the stolen crash reports. TxDOT immediately disabled access from the compromised account upon discovering the unusual activity and launched an investigation into the matter. The Texas Department of Public Safety is currently investigating how the breach occurred and is attempting to determine the identity of the responsible parties. TxDOT is urging individuals who may have been affected to be cautious of potential scams and fraudulent activities. Letters sent to victims advise them to be wary of unsolicited emails, texts, or calls related to past crashes, and a dedicated call line has been established to address any questions or concerns. The exposed data poses a significant risk of financial fraud and identity theft for those affected, as the compromised information can be valuable for malicious actors. Recommended read:
References :
@cyberpress.org
//
Marks & Spencer (M&S), the prominent retail giant, was recently hit by a significant ransomware attack over the Easter period. The cyberattack, orchestrated by the DragonForce hacker group, disrupted crucial business functions, including online ordering and staff clocking systems. The attackers employed "double extortion" tactics, indicating that they stole sensitive data before encrypting the company's servers. This aggressive move puts M&S at risk of both data loss and public exposure.
An exclusive report reveals that the CEO of M&S received an offensive extortion email detailing the timeline and nature of the attack. The email, reportedly filled with abusive language, claimed that DragonForce had "mercilessly raped" the company and encrypted its servers. In response to the attack, M&S took drastic measures by switching off the VPN used by staff for remote work, which successfully contained the spread of the ransomware, but further disrupted business operations. The financial impact of this cyber incident has been substantial, with reports indicating losses of approximately £40 million per week in sales. DragonForce, the ransomware group behind the attack, has reportedly compromised over 120 victims in the past year, establishing itself as a major player in the cybercrime landscape. The group has evolved from a Ransomware-as-a-Service (RaaS) model to a fully-fledged ransomware cartel, targeting organizations across various sectors, including manufacturing, healthcare, and retail. While the origins of DragonForce are speculative, technical indicators suggest a Russian alignment, including the use of Russian-linked infrastructure and recruitment efforts through Russian-speaking cybercrime forums. M&S has pointed to "human error" as the cause of the breach, with scrutiny falling on an employee of Tata Consultancy Services (TCS), which provides IT services to the retailer, although M&S has officially disputed claims that it didn't have proper plans to handle a ransomware incident. Recommended read:
References :
Rescana@Rescana
//
Recent ransomware attacks have underscored the persistent and evolving threat landscape facing organizations globally. Notably, Coca-Cola and its bottling partner, Coca-Cola Europacific Partners (CCEP), were targeted in separate cyber incidents. The Everest ransomware gang claimed responsibility for breaching Coca-Cola's systems, asserting access to sensitive internal documents and the personal information of nearly a thousand employees. Concurrently, the Gehenna hacking group claimed to have breached CCEP's Salesforce dashboard, potentially compromising over 23 million records. These incidents highlight the vulnerabilities inherent in interconnected digital ecosystems, emphasizing the need for robust cybersecurity measures and vigilant monitoring of network activities.
The healthcare sector has been particularly vulnerable, with Interlock ransomware causing significant disruption at Kettering Health, a network of hospitals in Ohio. The attackers leaked almost a terabyte of data, including patient information, financial records, and employee details after claiming responsibility. This breach led to canceled medical procedures, and a temporary reliance on paper-based systems. Covenant Health also experienced a cyberattack that forced the shutdown of their systems across multiple hospitals. Similarly, Bailey’s catering services, associated with a restaurant group in Louisiana, has been listed as a victim by the Medusa ransomware group, with attackers demanding a $100,000 ransom. These events underscore the severe consequences of ransomware attacks on essential services and sensitive data. In response to the rising ransomware threat, some countries are implementing stricter regulations. Australia, for example, now requires businesses with an annual turnover exceeding AUS $3 million to report ransomware payments to the Australian Signals Directorate within 72 hours. This legislation aims to improve the tracking of ransomware incidents and inform cybersecurity strategies, even though paying ransoms is still technically legal. The law also includes a six-month grace period for organizations to adapt to the new reporting requirements. Additionally, recent law enforcement operations like Operation Endgame have demonstrated progress in disrupting the ransomware ecosystem by targeting malware testing services and initial access malware strains. Recommended read:
References :
Jessica Lyons@The Register
//
A significant data breach impacting AT&T customers has resurfaced, with threat actors re-releasing data from a 2021 incident that affects a staggering 70 million individuals. This latest release is particularly concerning because it combines previously separate files, now directly linking Social Security numbers and birth dates to individual users. AT&T has acknowledged the situation and is actively investigating what they believe to be repackaged data from the earlier breach, which is now being offered for sale on dark web forums. The company is working to determine the full scope and impact of this re-released information.
This re-release has raised significant concerns about the potential for identity theft and fraud. The leaked data, which includes full names, dates of birth, phone numbers, email addresses, physical addresses, and Social Security numbers, provides a comprehensive set of personal information that could be exploited for malicious purposes. While AT&T is investigating the source of the leak and the claims of decrypted Social Security numbers, the exposure of such sensitive data puts millions of customers at risk. The incident has prompted AT&T to urge its customers to remain vigilant and take proactive steps to protect their personal information. Security experts recommend monitoring credit reports, changing passwords, and being cautious of phishing attempts. The incident also raises questions about the security measures in place to protect customer data and the potential need for stronger safeguards to prevent future breaches. Recommended read:
References :
Pauline Dornig@it-daily.net
//
The ransomware group Interlock has claimed responsibility for the recent cyberattack on Kettering Health, a US healthcare organization comprised of hospitals, clinics, and medical centers in Ohio. The attack, which initially disrupted the healthcare system on May 20th, forced the shutdown of all computer systems and has left Kettering Health struggling to fully recover over two weeks later. CNN first reported on Interlock’s involvement in the breach, but at the time, the group had not publicly taken credit, leading to speculation that ransom negotiations might be underway. However, Interlock has now come forward, potentially indicating that negotiations with Kettering Health have been unsuccessful.
Interlock announced its involvement by posting alleged stolen data on its dark web site, claiming to have exfiltrated over 940 gigabytes of data from Kettering Health’s internal network. A preliminary review of the posted files indicates that the stolen data includes sensitive private health information, such as patient names, patient numbers, and detailed clinical summaries. These summaries contain sensitive information including mental status assessments, medication lists, health concerns, and other specific details about patients' medical conditions. The stolen data also encompasses employee information and the contents of shared drives, raising concerns about further potential privacy breaches. The cyberattack has severely impacted Kettering Health's operations. Since the initial breach, numerous medical procedures have been canceled or postponed, forcing healthcare professionals to revert to paper-based documentation. This digital standstill has significantly affected clinical care for approximately 1.5 million patients annually. While Kettering Health has reported progress in restoring its systems, including bringing the electronic health record (EHR) system "Epic" back online with the help of around 200 employees, the full extent of the damage and the long-term consequences of the data breach are still unfolding. Recommended read:
References :
Zack Whittaker@techcrunch.com
//
Lee Enterprises, a major newspaper publishing company, has confirmed a significant data breach affecting approximately 40,000 employees. The breach stemmed from a ransomware attack that occurred in February of 2025, which had already caused widespread disruptions to operations at numerous U.S. media outlets. The company confirmed in a letter filed with Maine's attorney general that the personal information of 39,779 people was stolen in the cyberattack, including Social Security numbers.
The stolen data includes sensitive personal information, raising serious concerns about potential identity theft and further cybercrimes. According to letters being sent to the 39,779 affected individuals, the data concerns "certain employees," implying the breach primarily impacts current and former staff members. It's reported that the Iowa-based company confirmed first and last names, as well as social security numbers, were among the data types potentially accessed, although it does not think any of it has been misused. Qilin, a prolific ransomware gang known for destructive cyberattacks, took credit for the breach. Lee Enterprises has stated they detected the attack on February 3rd, although the unauthorized access to data began two days prior. The company maintains that upon discovering the incident, immediate steps were taken to enhance security and minimize the risk of future occurrences, including notifying the Federal Bureau of Investigation. Recommended read:
References :
Dissent@DataBreaches.Net
//
Luxury brand Cartier has confirmed a data breach impacting its customers. The breach stemmed from a security incident affecting one of its third-party service providers. This incident has exposed sensitive customer information, including names, contact details, and dates of birth. Cartier has notified affected clients and is taking steps to address the breach and reinforce its security measures.
This incident highlights the growing concern around supply chain security and the potential vulnerabilities introduced by third-party vendors. Even prestigious brands like Cartier are susceptible to data breaches if their partners' security defenses are not robust. The breach serves as a reminder for organizations to carefully assess and manage the security risks associated with their external service providers. It's yet another reminder that supply chain security is not a theoretical risk. Even the most prestigious brands can find their reputation tarnished if a partner’s defences aren't watertight. While details remain limited, this breach comes amid a series of recent cyberattacks targeting high-end brands in both Europe and the U.S.. According to SecurityWeek, Cartier emphasized that no passwords, credit card numbers, or banking information were involved in the breach. It is not yet known if these attacks are related or the work of a single group. Cartier is owned by Richemont, and the company is working to determine the full scope of the incident and implement measures to prevent future occurrences. Recommended read:
References :
Zack Whittaker@techcrunch.com
//
Data broker giant LexisNexis has disclosed a significant data breach affecting over 364,000 individuals. The breach targeted LexisNexis Risk Solutions (LNRS), a unit specializing in "know your customer," risk assessment, due diligence, and law enforcement assistance. An unauthorized party gained access to a third-party software development platform utilized by LNRS, resulting in the theft of sensitive personal data.
The intrusion, which occurred on December 25, 2024, was detected by LexisNexis on April 1, 2025. Initial reports indicate that the stolen data includes names, phone numbers, home addresses, email addresses, Social Security numbers, driver's license numbers, and dates of birth. While LexisNexis asserts that its own systems and infrastructure were not compromised, the breach raises concerns about the security of data entrusted to third-party vendors. The company stated that "No financial, credit card, or other sensitive personal information was accessed". LexisNexis is notifying affected individuals and relevant regulators about the breach. The company also reported the incident to law enforcement. They are offering affected individuals 24 months of identity protection and credit monitoring through Experian. The incident highlights the vulnerability of personal data within the data broker industry and comes shortly after the scrapping of a Biden-era rule intended to restrict data brokers from selling Americans’ sensitive information. Recommended read:
References :
@cyberinsider.com
//
Adidas has confirmed a data breach impacting customer data via a third-party customer service provider. According to Adidas, the compromised data primarily consists of contact information of customers who had previously contacted their customer service help desk. The company assures that sensitive information like passwords, credit card, or any other payment-related information were not affected in the incident.
Adidas became aware that an unauthorized external party obtained certain consumer data through a third-party customer service provider. Adidas has immediately taken steps to contain the incident and launched a comprehensive investigation, collaborating with leading information security experts. The company is currently notifying affected customers and is cooperating with data protection authorities and investigators as required by law. This breach marks the third publicly acknowledged incident involving the sportswear giant’s customer service systems recently. The company is working to clarify the situation, reinforcing the importance of securing third-party providers to prevent them from becoming a gateway for attackers to access target systems. Adidas expressed that they remain fully committed to protecting the privacy and security of their consumers and sincerely regret any inconvenience or concern caused by this incident. Recommended read:
References :
@cyble.com
//
Nova Scotia Power has officially confirmed it fell victim to a sophisticated ransomware attack, impacting approximately 280,000 customers. The breach, which began several weeks ago, involved unauthorized access to internal systems and the subsequent theft of sensitive data. The cyber incident targeted Nova Scotia Power’s digital infrastructure, encrypting critical systems and exfiltrating customer data. The power utility has confirmed it was hit by ransomware but hasn't paid the ransom, nearly a month after first disclosing the cyberattack.
Nova Scotia Power engaged third-party cybersecurity firms to isolate affected networks, mitigate further damage, and conduct forensic analyses. Investigations suggest the attackers employed advanced techniques to bypass existing safeguards, though specific details about the ransomware variant or entry vectors remain undisclosed. The company emphasized it did not comply with ransom demands, a decision it attributes to adherence to sanctions laws and coordination with law enforcement agencies. The threat actor publicly released portions of the stolen data, compelling Nova Scotia Power to initiate a large-scale notification campaign. Impacted customers received physical mail detailing the breach’s scope and remediation steps. The compromised information reportedly includes names, addresses, account numbers, and potentially payment histories. To address identity theft risks, Nova Scotia Power partnered with TransUnion to offer affected individuals a two-year subscription to the myTrueIdentity® credit monitoring service at no cost, including real-time credit alerts and dark web surveillance. Recommended read:
References :
Waqas@hackread.com
//
A massive database containing over 184 million unique login credentials has been discovered online by cybersecurity researcher Jeremiah Fowler. The unprotected database, which amounted to approximately 47.42 gigabytes of data, was found on a misconfigured cloud server and lacked both password protection and encryption. Fowler, from Security Discovery, identified the exposed Elastic database in early May and promptly notified the hosting provider, leading to the database being removed from public access.
The exposed credentials included usernames and passwords for a vast array of online services, including major tech platforms like Apple, Microsoft, Facebook, Google, Instagram, Snapchat, Roblox, Spotify, WordPress, and Yahoo, as well as various email providers. More alarmingly, the data also contained access information for bank accounts, health platforms, and government portals from numerous countries, posing a significant risk to individuals and organizations. The authenticity of the data was confirmed by Fowler, who contacted several individuals whose email addresses were listed in the database, and they verified that the passwords were valid. The origin and purpose of the database remain unclear, with no identifying information about its owner or collector. The sheer scope and diversity of the login details suggest that the data may have been compiled by cybercriminals using infostealer malware. Jeremiah Fowler described the find as "one of the most dangerous discoveries" he has found in a very long time. The database's IP address pointed to two domain names, one of which was unregistered, further obscuring the identity of the data's owner and intended use. Recommended read:
References :
|