CyberSecurity news
FlagThis - #databreach
|
@cyble.com
//
References:
cyble.com
, cybersecurityventures.com
Ransomware groups are continually evolving their tactics, posing an increasing threat to organizations worldwide. Recent reports highlight the exploitation of vulnerabilities in software and the use of sophisticated techniques, such as abusing legitimate employee monitoring software, to breach systems. A Symantec report revealed the discovery of Fog Ransomware, showcasing the attackers' innovative use of tools, including a legitimate security solution (Syteca) capable of recording on-screen activity and monitoring keystrokes, which they deployed using PsExec and SMBExec.
The Cybersecurity and Infrastructure Security Agency (CISA) issued Advisory AA25‑163A, warning of ransomware actors exploiting CVE-2024-57727 in unpatched SimpleHelp Remote Monitoring and Management (RMM) software, specifically versions 5.5.7 and earlier. This vulnerability allowed attackers to compromise a utility billing software provider and initiate double-extortion attacks. The attacks targeting unpatched SimpleHelp deployments have been observed since January 2025, indicating a sustained and targeted effort to exploit this vulnerability. In addition to software vulnerabilities, data breaches are also occurring through direct hacks. Zoomcar, an Indian car-sharing company, recently acknowledged a data breach affecting 8.4 million users, where hackers accessed customer names, phone numbers, car registration numbers, personal addresses, and emails. While sensitive information like passwords and financial details were reportedly not exposed, the breach raises concerns about the security of personal data stored by such platforms. Furthermore, the DragonForce group has started posting new victims to their darknet site, publicly extorting two new organizations, highlighting the continued use of double extortion tactics by ransomware groups. Recommended read:
References :
Bill Toulas@BleepingComputer
//
The Texas Department of Transportation (TxDOT) is alerting the public to a significant data breach that compromised nearly 300,000 crash records. The incident, discovered on May 12th, 2025, involved unauthorized access to its Crash Records Information System (CRIS). Texas officials revealed that a hacker gained entry through a compromised user account and proceeded to download a large volume of sensitive data. This data included personally identifiable information such as names, addresses, driver's license numbers, license plate numbers, and car insurance policy numbers.
The compromised crash reports contain detailed information about individuals involved in traffic accidents, including summaries of injuries sustained during the crash and narratives of the incidents. While TxDOT is not legally obligated to notify the public, it has chosen to proactively inform those affected by sending letters to individuals whose information was included in the stolen crash reports. TxDOT immediately disabled access from the compromised account upon discovering the unusual activity and launched an investigation into the matter. The Texas Department of Public Safety is currently investigating how the breach occurred and is attempting to determine the identity of the responsible parties. TxDOT is urging individuals who may have been affected to be cautious of potential scams and fraudulent activities. Letters sent to victims advise them to be wary of unsolicited emails, texts, or calls related to past crashes, and a dedicated call line has been established to address any questions or concerns. The exposed data poses a significant risk of financial fraud and identity theft for those affected, as the compromised information can be valuable for malicious actors. Recommended read:
References :
@cyberpress.org
//
Marks & Spencer (M&S), the prominent retail giant, was recently hit by a significant ransomware attack over the Easter period. The cyberattack, orchestrated by the DragonForce hacker group, disrupted crucial business functions, including online ordering and staff clocking systems. The attackers employed "double extortion" tactics, indicating that they stole sensitive data before encrypting the company's servers. This aggressive move puts M&S at risk of both data loss and public exposure.
An exclusive report reveals that the CEO of M&S received an offensive extortion email detailing the timeline and nature of the attack. The email, reportedly filled with abusive language, claimed that DragonForce had "mercilessly raped" the company and encrypted its servers. In response to the attack, M&S took drastic measures by switching off the VPN used by staff for remote work, which successfully contained the spread of the ransomware, but further disrupted business operations. The financial impact of this cyber incident has been substantial, with reports indicating losses of approximately £40 million per week in sales. DragonForce, the ransomware group behind the attack, has reportedly compromised over 120 victims in the past year, establishing itself as a major player in the cybercrime landscape. The group has evolved from a Ransomware-as-a-Service (RaaS) model to a fully-fledged ransomware cartel, targeting organizations across various sectors, including manufacturing, healthcare, and retail. While the origins of DragonForce are speculative, technical indicators suggest a Russian alignment, including the use of Russian-linked infrastructure and recruitment efforts through Russian-speaking cybercrime forums. M&S has pointed to "human error" as the cause of the breach, with scrutiny falling on an employee of Tata Consultancy Services (TCS), which provides IT services to the retailer, although M&S has officially disputed claims that it didn't have proper plans to handle a ransomware incident. Recommended read:
References :
Rescana@Rescana
//
Recent ransomware attacks have underscored the persistent and evolving threat landscape facing organizations globally. Notably, Coca-Cola and its bottling partner, Coca-Cola Europacific Partners (CCEP), were targeted in separate cyber incidents. The Everest ransomware gang claimed responsibility for breaching Coca-Cola's systems, asserting access to sensitive internal documents and the personal information of nearly a thousand employees. Concurrently, the Gehenna hacking group claimed to have breached CCEP's Salesforce dashboard, potentially compromising over 23 million records. These incidents highlight the vulnerabilities inherent in interconnected digital ecosystems, emphasizing the need for robust cybersecurity measures and vigilant monitoring of network activities.
The healthcare sector has been particularly vulnerable, with Interlock ransomware causing significant disruption at Kettering Health, a network of hospitals in Ohio. The attackers leaked almost a terabyte of data, including patient information, financial records, and employee details after claiming responsibility. This breach led to canceled medical procedures, and a temporary reliance on paper-based systems. Covenant Health also experienced a cyberattack that forced the shutdown of their systems across multiple hospitals. Similarly, Bailey’s catering services, associated with a restaurant group in Louisiana, has been listed as a victim by the Medusa ransomware group, with attackers demanding a $100,000 ransom. These events underscore the severe consequences of ransomware attacks on essential services and sensitive data. In response to the rising ransomware threat, some countries are implementing stricter regulations. Australia, for example, now requires businesses with an annual turnover exceeding AUS $3 million to report ransomware payments to the Australian Signals Directorate within 72 hours. This legislation aims to improve the tracking of ransomware incidents and inform cybersecurity strategies, even though paying ransoms is still technically legal. The law also includes a six-month grace period for organizations to adapt to the new reporting requirements. Additionally, recent law enforcement operations like Operation Endgame have demonstrated progress in disrupting the ransomware ecosystem by targeting malware testing services and initial access malware strains. Recommended read:
References :
Jessica Lyons@The Register
//
A significant data breach impacting AT&T customers has resurfaced, with threat actors re-releasing data from a 2021 incident that affects a staggering 70 million individuals. This latest release is particularly concerning because it combines previously separate files, now directly linking Social Security numbers and birth dates to individual users. AT&T has acknowledged the situation and is actively investigating what they believe to be repackaged data from the earlier breach, which is now being offered for sale on dark web forums. The company is working to determine the full scope and impact of this re-released information.
This re-release has raised significant concerns about the potential for identity theft and fraud. The leaked data, which includes full names, dates of birth, phone numbers, email addresses, physical addresses, and Social Security numbers, provides a comprehensive set of personal information that could be exploited for malicious purposes. While AT&T is investigating the source of the leak and the claims of decrypted Social Security numbers, the exposure of such sensitive data puts millions of customers at risk. The incident has prompted AT&T to urge its customers to remain vigilant and take proactive steps to protect their personal information. Security experts recommend monitoring credit reports, changing passwords, and being cautious of phishing attempts. The incident also raises questions about the security measures in place to protect customer data and the potential need for stronger safeguards to prevent future breaches. Recommended read:
References :
Pauline Dornig@it-daily.net
//
The ransomware group Interlock has claimed responsibility for the recent cyberattack on Kettering Health, a US healthcare organization comprised of hospitals, clinics, and medical centers in Ohio. The attack, which initially disrupted the healthcare system on May 20th, forced the shutdown of all computer systems and has left Kettering Health struggling to fully recover over two weeks later. CNN first reported on Interlock’s involvement in the breach, but at the time, the group had not publicly taken credit, leading to speculation that ransom negotiations might be underway. However, Interlock has now come forward, potentially indicating that negotiations with Kettering Health have been unsuccessful.
Interlock announced its involvement by posting alleged stolen data on its dark web site, claiming to have exfiltrated over 940 gigabytes of data from Kettering Health’s internal network. A preliminary review of the posted files indicates that the stolen data includes sensitive private health information, such as patient names, patient numbers, and detailed clinical summaries. These summaries contain sensitive information including mental status assessments, medication lists, health concerns, and other specific details about patients' medical conditions. The stolen data also encompasses employee information and the contents of shared drives, raising concerns about further potential privacy breaches. The cyberattack has severely impacted Kettering Health's operations. Since the initial breach, numerous medical procedures have been canceled or postponed, forcing healthcare professionals to revert to paper-based documentation. This digital standstill has significantly affected clinical care for approximately 1.5 million patients annually. While Kettering Health has reported progress in restoring its systems, including bringing the electronic health record (EHR) system "Epic" back online with the help of around 200 employees, the full extent of the damage and the long-term consequences of the data breach are still unfolding. Recommended read:
References :
Zack Whittaker@techcrunch.com
//
Lee Enterprises, a major newspaper publishing company, has confirmed a significant data breach affecting approximately 40,000 employees. The breach stemmed from a ransomware attack that occurred in February of 2025, which had already caused widespread disruptions to operations at numerous U.S. media outlets. The company confirmed in a letter filed with Maine's attorney general that the personal information of 39,779 people was stolen in the cyberattack, including Social Security numbers.
The stolen data includes sensitive personal information, raising serious concerns about potential identity theft and further cybercrimes. According to letters being sent to the 39,779 affected individuals, the data concerns "certain employees," implying the breach primarily impacts current and former staff members. It's reported that the Iowa-based company confirmed first and last names, as well as social security numbers, were among the data types potentially accessed, although it does not think any of it has been misused. Qilin, a prolific ransomware gang known for destructive cyberattacks, took credit for the breach. Lee Enterprises has stated they detected the attack on February 3rd, although the unauthorized access to data began two days prior. The company maintains that upon discovering the incident, immediate steps were taken to enhance security and minimize the risk of future occurrences, including notifying the Federal Bureau of Investigation. Recommended read:
References :
Dissent@DataBreaches.Net
//
Luxury brand Cartier has confirmed a data breach impacting its customers. The breach stemmed from a security incident affecting one of its third-party service providers. This incident has exposed sensitive customer information, including names, contact details, and dates of birth. Cartier has notified affected clients and is taking steps to address the breach and reinforce its security measures.
This incident highlights the growing concern around supply chain security and the potential vulnerabilities introduced by third-party vendors. Even prestigious brands like Cartier are susceptible to data breaches if their partners' security defenses are not robust. The breach serves as a reminder for organizations to carefully assess and manage the security risks associated with their external service providers. It's yet another reminder that supply chain security is not a theoretical risk. Even the most prestigious brands can find their reputation tarnished if a partner’s defences aren't watertight. While details remain limited, this breach comes amid a series of recent cyberattacks targeting high-end brands in both Europe and the U.S.. According to SecurityWeek, Cartier emphasized that no passwords, credit card numbers, or banking information were involved in the breach. It is not yet known if these attacks are related or the work of a single group. Cartier is owned by Richemont, and the company is working to determine the full scope of the incident and implement measures to prevent future occurrences. Recommended read:
References :
Zack Whittaker@techcrunch.com
//
Data broker giant LexisNexis has disclosed a significant data breach affecting over 364,000 individuals. The breach targeted LexisNexis Risk Solutions (LNRS), a unit specializing in "know your customer," risk assessment, due diligence, and law enforcement assistance. An unauthorized party gained access to a third-party software development platform utilized by LNRS, resulting in the theft of sensitive personal data.
The intrusion, which occurred on December 25, 2024, was detected by LexisNexis on April 1, 2025. Initial reports indicate that the stolen data includes names, phone numbers, home addresses, email addresses, Social Security numbers, driver's license numbers, and dates of birth. While LexisNexis asserts that its own systems and infrastructure were not compromised, the breach raises concerns about the security of data entrusted to third-party vendors. The company stated that "No financial, credit card, or other sensitive personal information was accessed". LexisNexis is notifying affected individuals and relevant regulators about the breach. The company also reported the incident to law enforcement. They are offering affected individuals 24 months of identity protection and credit monitoring through Experian. The incident highlights the vulnerability of personal data within the data broker industry and comes shortly after the scrapping of a Biden-era rule intended to restrict data brokers from selling Americans’ sensitive information. Recommended read:
References :
@cyberinsider.com
//
Adidas has confirmed a data breach impacting customer data via a third-party customer service provider. According to Adidas, the compromised data primarily consists of contact information of customers who had previously contacted their customer service help desk. The company assures that sensitive information like passwords, credit card, or any other payment-related information were not affected in the incident.
Adidas became aware that an unauthorized external party obtained certain consumer data through a third-party customer service provider. Adidas has immediately taken steps to contain the incident and launched a comprehensive investigation, collaborating with leading information security experts. The company is currently notifying affected customers and is cooperating with data protection authorities and investigators as required by law. This breach marks the third publicly acknowledged incident involving the sportswear giant’s customer service systems recently. The company is working to clarify the situation, reinforcing the importance of securing third-party providers to prevent them from becoming a gateway for attackers to access target systems. Adidas expressed that they remain fully committed to protecting the privacy and security of their consumers and sincerely regret any inconvenience or concern caused by this incident. Recommended read:
References :
@cyble.com
//
Nova Scotia Power has officially confirmed it fell victim to a sophisticated ransomware attack, impacting approximately 280,000 customers. The breach, which began several weeks ago, involved unauthorized access to internal systems and the subsequent theft of sensitive data. The cyber incident targeted Nova Scotia Power’s digital infrastructure, encrypting critical systems and exfiltrating customer data. The power utility has confirmed it was hit by ransomware but hasn't paid the ransom, nearly a month after first disclosing the cyberattack.
Nova Scotia Power engaged third-party cybersecurity firms to isolate affected networks, mitigate further damage, and conduct forensic analyses. Investigations suggest the attackers employed advanced techniques to bypass existing safeguards, though specific details about the ransomware variant or entry vectors remain undisclosed. The company emphasized it did not comply with ransom demands, a decision it attributes to adherence to sanctions laws and coordination with law enforcement agencies. The threat actor publicly released portions of the stolen data, compelling Nova Scotia Power to initiate a large-scale notification campaign. Impacted customers received physical mail detailing the breach’s scope and remediation steps. The compromised information reportedly includes names, addresses, account numbers, and potentially payment histories. To address identity theft risks, Nova Scotia Power partnered with TransUnion to offer affected individuals a two-year subscription to the myTrueIdentity® credit monitoring service at no cost, including real-time credit alerts and dark web surveillance. Recommended read:
References :
Waqas@hackread.com
//
A massive database containing over 184 million unique login credentials has been discovered online by cybersecurity researcher Jeremiah Fowler. The unprotected database, which amounted to approximately 47.42 gigabytes of data, was found on a misconfigured cloud server and lacked both password protection and encryption. Fowler, from Security Discovery, identified the exposed Elastic database in early May and promptly notified the hosting provider, leading to the database being removed from public access.
The exposed credentials included usernames and passwords for a vast array of online services, including major tech platforms like Apple, Microsoft, Facebook, Google, Instagram, Snapchat, Roblox, Spotify, WordPress, and Yahoo, as well as various email providers. More alarmingly, the data also contained access information for bank accounts, health platforms, and government portals from numerous countries, posing a significant risk to individuals and organizations. The authenticity of the data was confirmed by Fowler, who contacted several individuals whose email addresses were listed in the database, and they verified that the passwords were valid. The origin and purpose of the database remain unclear, with no identifying information about its owner or collector. The sheer scope and diversity of the login details suggest that the data may have been compiled by cybercriminals using infostealer malware. Jeremiah Fowler described the find as "one of the most dangerous discoveries" he has found in a very long time. The database's IP address pointed to two domain names, one of which was unregistered, further obscuring the identity of the data's owner and intended use. Recommended read:
References :
Dissent@DataBreaches.Net
//
Coinbase confirmed a significant data breach affecting 69,461 customers, revealing that overseas support staff were bribed to hand over sensitive user data to criminals. The breach, which began on December 26, 2024, went undetected until May 11, 2025, leaving customers vulnerable to potential phishing attacks and extortion schemes. Coinbase acknowledged the incident in a filing with the Securities and Exchange Commission (SEC) on May 15, further detailing that the perpetrators attempted to extort the company for $20 million. The company has since confirmed the support staff involved have been fired.
The compromised data included a wide range of personal information, such as names, addresses, phone numbers, email addresses, the last four digits of Social Security numbers, masked bank account numbers, images of government IDs (passports and driver's licenses), and Coinbase account data, including balance snapshots and transaction histories. Coinbase emphasized that passwords, seed phrases, and private keys were not compromised, ensuring direct access to accounts and funds remained secure. The company is offering affected users free one-year credit monitoring and identity protection services to mitigate the potential fallout. In response to the breach, Coinbase is bolstering its cybersecurity measures and has issued a $20 million bounty for information leading to the arrest of those responsible. The company estimates spending between $180 million and $400 million to cover reimbursements to affected users and enhance security infrastructure. While Coinbase intends to reimburse customers who may have fallen victim to phishing scams stemming from the stolen data, concerns remain regarding the potential for continued targeting of Coinbase customers, prompting some legal professionals to consider class-action lawsuits against the cryptocurrency exchange. Recommended read:
References :
@securityonline.info
//
SK Telecom, South Korea's largest mobile network operator, revealed a significant data breach in April 2025 that exposed the USIM data of 27 million subscribers. The company first detected malware on its networks on April 19, 2025, and responded by isolating the compromised servers. Investigations have since revealed the breach began as far back as June 15, 2022, with attackers deploying a web shell on one of SK Telecom's servers. This initial compromise provided a foothold in the network allowing them to execute commands and deploy additional malware payloads across multiple servers.
The attackers were able to steal a wide array of sensitive information, including users’ IMSI numbers, USIM authentication keys, network usage data, text messages, and contacts stored on SIM cards. A joint investigative committee comprising the South Korean government and SK Telecom discovered 25 separate backdoor programs on the company’s servers. Due to the undetected nature of the breach for nearly three years, the intruders were able to implant backdoors tailored to different malicious functions. SK Telecom only began logging server activity on December 31, 2024, creating a data void between June 15, 2022, and December 31, 2024, making it difficult to ascertain what data was exfiltrated or what malicious operations were executed during that time. The breach has affected an estimated 26.95 million SK Telecom users, prompting the company to take immediate action. SK Telecom has suspended the onboarding of new customers and announced it will begin notifying all affected individuals to replace their SIM cards and adopt enhanced security measures. To mitigate the risks associated with SIM-swapping attacks, SK Telecom announced it would issue replacement SIM cards to all affected customers, while also implementing stricter safeguards to prevent unauthorized number transfers. The company also confirmed that USIM records for its entire subscriber base of 29 million people were exposed. Recommended read:
References :
@ketteringhealth.org
//
Kettering Health, a healthcare network operating 14 medical centers and over 120 outpatient facilities in western Ohio, has been hit by a ransomware attack causing a system-wide technology outage. The cyberattack, which occurred on Tuesday, May 20, 2025, has forced the cancellation of elective inpatient and outpatient procedures and has disrupted access to critical patient care systems, including phone lines, the call center, and the MyChart patient portal. Emergency services remain operational, but emergency crews are being diverted to other facilities due to the disruption. Kettering Health has confirmed they are responding to the cybersecurity incident involving unauthorized access to its network and has taken steps to contain and mitigate the breach, while actively investigating the situation.
The ransomware attack is suspected to involve the Interlock ransomware gang, which emerged last fall and has targeted various sectors, including tech, manufacturing firms, and government organizations. A ransom note, viewed by CNN, claimed the attackers had secured Kettering Health's most vital files and threatened to leak stolen data unless the health network began negotiating an extortion fee. In response to the disruption, Kettering Health has canceled elective procedures and is rescheduling them for a later date. Additionally, the organization is cautioning patients about scam calls from individuals posing as Kettering Health team members requesting credit card payments and has halted normal billing calls as a precaution. The incident highlights the increasing cybersecurity challenges facing healthcare systems. According to cybersecurity experts, healthcare networks often operate with outdated technology and lack comprehensive cybersecurity training for staff, making them vulnerable to attacks. There is a call to action to invest in healthcare cybersecurity, with recommendations for the government and its partners to address understaffed healthcare cyber programs by tweaking federal healthcare funding programs to cover critical cybersecurity expenditures, augmenting healthcare cybersecurity workforces and incentivizing cyber maturity. Recommended read:
References :
|