Pauline Dornig@it-daily.net
//
The ransomware group Interlock has claimed responsibility for the recent cyberattack on Kettering Health, a US healthcare organization comprised of hospitals, clinics, and medical centers in Ohio. The attack, which initially disrupted the healthcare system on May 20th, forced the shutdown of all computer systems and has left Kettering Health struggling to fully recover over two weeks later. CNN first reported on Interlock’s involvement in the breach, but at the time, the group had not publicly taken credit, leading to speculation that ransom negotiations might be underway. However, Interlock has now come forward, potentially indicating that negotiations with Kettering Health have been unsuccessful.
Interlock announced its involvement by posting alleged stolen data on its dark web site, claiming to have exfiltrated over 940 gigabytes of data from Kettering Health’s internal network. A preliminary review of the posted files indicates that the stolen data includes sensitive private health information, such as patient names, patient numbers, and detailed clinical summaries. These summaries contain sensitive information including mental status assessments, medication lists, health concerns, and other specific details about patients' medical conditions. The stolen data also encompasses employee information and the contents of shared drives, raising concerns about further potential privacy breaches.
The cyberattack has severely impacted Kettering Health's operations. Since the initial breach, numerous medical procedures have been canceled or postponed, forcing healthcare professionals to revert to paper-based documentation. This digital standstill has significantly affected clinical care for approximately 1.5 million patients annually. While Kettering Health has reported progress in restoring its systems, including bringing the electronic health record (EHR) system "Epic" back online with the help of around 200 employees, the full extent of the damage and the long-term consequences of the data breach are still unfolding.
Recommended read:
References :
- infosec.exchange: Ransomware gang Interlock claims responsibility for the Kettering Health hack, posting some alleged stolen data on its dark web site. Data includes private health information, such as patient names, patient numbers, and clinical summaries written by doctors, which include categories such as mental status, medications, health concerns, and other categories of patient data.
- techcrunch.com: Ransomware gang Interlock claims responsibility for the Kettering Health hack, posting some alleged stolen data on its dark web site. Data includes private health information, such as patient names, patient numbers, and clinical summaries written by doctors, which include categories such as mental status, medications, health concerns, and other categories of patient data.
- www.it-daily.net: Report on a ransomware attack on Kettering Health.
- techcrunch.com: Health giant Kettering still facing disruption weeks after ransomware attack
- The Register - Security: Ransomware scum leak patient data after disrupting chemo treatments at Kettering
- BleepingComputer: Kettering Health confirms Interlock ransomware behind cyberattack
- www.bleepingcomputer.com: Details about the leaked data.
@cyble.com
//
Nova Scotia Power has officially confirmed it fell victim to a sophisticated ransomware attack, impacting approximately 280,000 customers. The breach, which began several weeks ago, involved unauthorized access to internal systems and the subsequent theft of sensitive data. The cyber incident targeted Nova Scotia Power’s digital infrastructure, encrypting critical systems and exfiltrating customer data. The power utility has confirmed it was hit by ransomware but hasn't paid the ransom, nearly a month after first disclosing the cyberattack.
Nova Scotia Power engaged third-party cybersecurity firms to isolate affected networks, mitigate further damage, and conduct forensic analyses. Investigations suggest the attackers employed advanced techniques to bypass existing safeguards, though specific details about the ransomware variant or entry vectors remain undisclosed. The company emphasized it did not comply with ransom demands, a decision it attributes to adherence to sanctions laws and coordination with law enforcement agencies.
The threat actor publicly released portions of the stolen data, compelling Nova Scotia Power to initiate a large-scale notification campaign. Impacted customers received physical mail detailing the breach’s scope and remediation steps. The compromised information reportedly includes names, addresses, account numbers, and potentially payment histories. To address identity theft risks, Nova Scotia Power partnered with TransUnion to offer affected individuals a two-year subscription to the myTrueIdentity® credit monitoring service at no cost, including real-time credit alerts and dark web surveillance.
Recommended read:
References :
- thecyberexpress.com: Nova Scotia Power has confirmed it was the victim of a ransomware attack, weeks after initially alerting customers to a cybersecurity breach.
- Tech Monitor: Nova Scotia Power confirms data breach, customer information compromised
- cyberpress.org: Nova Scotia Power Confirms Cyberattack Affecting 280K Customers
- securityaffairs.com: Nova Scotia Power confirms it was hit by a ransomware attack but hasn’t paid the ransom, nearly a month after first disclosing the cyberattack.
- Cyber Security News: Nova Scotia Power, a key utility provider, faced a significant ransomware attack, which led to the leak of customer data and exposed sensitive information.
Dissent@DataBreaches.Net
//
A ransomware attack on Business Systems House (BSH), a Middle Eastern partner of payroll provider ADP, resulted in the theft of Broadcom employee data in September 2024. The breach was claimed by the El Dorado ransomware group, who according to open source trackers, took responsibility in November of that year. Broadcom, a multinational semiconductor and infrastructure software company, used ADP for payroll processing, with BSH functioning as ADP’s regional provider in the Middle East.
Broadcom was in the process of transitioning away from ADP and BSH at the time of the attack; however, the switch had not been finalized. Sensitive data was compromised, and although the data was leaked online in December 2024, Broadcom was not informed about the breach until May 12, 2025. The delay in notification highlights the challenges organizations face in monitoring and securing extended vendor ecosystems. The stolen data was in an unstructured format, complicating the process of identifying affected employees and the specific data fields disclosed.
After discovering the attack, BSH/ADP have been working with ADP and outside experts to investigate the incident and take the necessary steps to harden BSH's environment to protect from similar attacks. Local law enforcement and data protection authorities have been notified. It's understood Broadcom's HR department has begun the process of informing current and former staff who are affected by the ransomware attack.
Recommended read:
References :
- DataBreaches.Net: Ransomware Attack on ADP Partner Exposes Broadcom Employee Data
- The Register - Security: Broadcom employee data stolen by ransomware crooks following hit on payroll provider
- malware.news: Ransomware attack on ADP partner exposes Broadcom employee data
- databreaches.net: Ransomware Attack on ADP Partner Exposes Broadcom Employee Data
- Rescana: Broadcom Data Breach: Ransomware Attack on Business Systems House Highlights Third-Party Cybersecurity Risks
- AAKL: A ransomware attack at a Middle Eastern business partner of payroll company ADP has led to customer data theft at Broadcom, The Register has learned.
- www.techradar.com: Broadcom hit by employee data theft after breach in supply chain
Dissent@DataBreaches.Net
//
In December 2024, PowerSchool, a major provider of K-12 software serving 60 million students across North America, experienced a significant data breach. Hackers gained access to sensitive student and teacher data, including personally identifiable information such as Social Security numbers and health data, through a single stolen credential. The company, believing it was the best course of action, paid an undisclosed ransom to the threat actor to prevent the data from being made public, however this has proven to be unsuccessful.
Months later, it has been revealed that the threat actors are now directly targeting individual school districts with extortion demands, using the stolen data from the initial breach. The Toronto District School Board (TDSB), along with other schools in North America, has confirmed receiving ransom demands from the attackers. The exposed information includes names, contact details, birth dates, Social Security numbers, and even some medical alert data. PowerSchool has confirmed that these extortion attempts are related to the original breach and is working with law enforcement.
Cybersecurity experts have warned against paying ransoms, as there is no guarantee that hackers will delete the stolen data. This case exemplifies the risk of paying extortion demands, as the threat actors have resurfaced to revictimize affected individuals and institutions with additional demands. PowerSchool is offering two years of free identity protection to affected individuals, however there will be pressure for them to improve its security and reassure stakeholders that it can prevent similar incidents in the future.
Recommended read:
References :
- bsky.app: The hacker behind PowerSchool's December breach is now extorting schools, threatening to release stolen student and teacher data.
- Threats | CyberScoop: The large education tech vendor was hit by a cyberattack and paid a ransom in December. Now, a threat actor is attempting to extort the company’s customers with stolen data.
- The Register - Security: PowerSchool paid thieves to delete stolen student, teacher data. Crooks may have lied
- The DefendOps Diaries: Report discussing the PowerSchool data breach and its implications.
- BleepingComputer: PowerSchool is warning that the hacker behind its December cyberattack is now individually extorting schools, threatening to release the previously stolen student and teacher data if a ransom is not paid. [...]
- www.bleepingcomputer.com: BleepingComputer reports on PowerSchool hacker extorting school districts.
- cyberscoop.com: PowerSchool customers hit by downstream extortion threats
- BleepingComputer: PowerSchool hacker now extorting individual school districts
- malware.news: PowerSchool paid a hacker’s extortion demand, but now school district clients are being extorted anyway (2)
- DataBreaches.Net: PowerSchool paid a hacker’s extortion demand, but now school district clients are being extorted anyway (3)
- PCMag UK security: UK PCMag covers PowerSchool attackers extorting teachers.
- go.theregister.com: PowerSchool paid thieves to delete stolen student, teacher data. Crooks may have lied Now individual school districts extorted by fiends
- Metacurity: PowerSchool hackers are extorting schools despite the company's ransom payment
- techcrunch.com: TechCrunch article on PowerSchool being hacked.
- hackread.com: PowerSchool Paid Ransom, Now Hackers Target Teachers for More
- ExpressVPN Blog: Teachers report that bad actors are now targeting them with threatening emails demanding payment following a massive 2024 breach affecting schools across the US and Canada. One of the largest hacks of US schools continues as teachers across the country say that threat actors are extorting them for more money and threatening to release the data.
- www.metacurity.com: PowerSchool hackers are extorting schools despite the company's ransom payment
- thecyberexpress.com: Toronto School Board Hit with Extortion Demand After PowerSchool Data Breach
- Blog: PowerSchool clients now targeted directly by threat actor
- cyberinsider.com: PowerSchool Ransom Fallout: Extortion Attempts Hit Schools Months After Data Breach
- www.techradar.com: PowerSchool hackers return, and may not have deleted stolen data as promised
- malware.news: Double-extortion tactics used in PowerSchool ransomware attack
- CyberInsider: Months after paying a ransom to suppress the fallout of a major data breach, PowerSchool is facing renewed turmoil as threat actors have begun extorting individual school districts using the same stolen data.
- Matthew Rosenquist: More extortions, same - a perfect example of how not to deal with risks. The nightmare continues for schools, students, and teachers who's private data was exposed by PowerSchool.
- matthewrosenquist.substack.com: PowerSchool data breach round 2 extortions
- aboutdfir.com: Reports an education tech provider paid thieves to delete stolen student, teacher data.
- MeatMutts: The educational sector has been rocked by a significant data breach involving PowerSchool, a leading education technology provider serving over 60 million students globally.
- aboutdfir.com: PowerSchool paid thieves to delete stolen student, teacher data. Looks like crooks lied An education tech provider that paid a ransom to prevent the leak of stolen student and teacher data is now watching its school district customers get individually extorted by either the same ransomware crew that hit it – or someone connected to
Dissent@DataBreaches.Net
//
British retailer Marks & Spencer (M&S) has been hit by a significant cyberattack, causing disruptions to its online order system and in-store contactless payments. The incident, which began last week, led to the temporary suspension of online orders and refunds for some customers. Cyber security experts now suspect the infamous Scattered Spider hacking collective is behind the attack, potentially crippling the retailer's systems and its ecommerce operation.
BleepingComputer reports that the ongoing outages at M&S are likely the result of a ransomware attack. The Scattered Spider group, known for targeting major organizations, is believed to have initially breached M&S's systems as early as February, allegedly stealing the NTDS.dit file from the Windows domain. This file contains user account and password information, enabling the attackers to move laterally across the network and gain control over more systems. The group then reportedly deployed the DragonForce encryptor against M&S’s virtual machines running on VMware ESXi hosts, launching the main attack on April 24th.
The cyberattack's impact extends beyond online services. M&S has acknowledged "pockets of limited availability" in its physical stores, with reports of empty shelves nationwide, indicating disruptions to the supply chain. Scattered Spider, also known as Octo Tempest, is a cybercriminal collective known for its sophisticated social engineering tactics, phishing, and multi-factor authentication (MFA) bombing, posing a significant threat to large enterprises. The attack on M&S underscores the urgent need for organizations to bolster their cybersecurity defenses and remain vigilant against evolving threats.
Recommended read:
References :
- bsky.app: Cyber security website @bleepingcomputer.com now reporting that the M&S hackers could be from Scattered Spider
- hackread.com: Scattered Spider Suspected in Major M&S Cyberattack
- research.checkpoint.com: British retailer Marks & Spencer (M&S) experienced a cyber-attack that caused disruptions to its online order system and in-store contactless payments.
- ComputerWeekly.com: The infamous Scattered Spider hacking collective may have been behind the ongoing cyber attack on Marks and Spencer that has crippled systems at the retailer and left its ecommerce operation in disarray.
- DataBreaches.Net: Marks & Spencer breach linked to Scattered Spider ransomware attack
- BleepingComputer: Marks and Spencer breach linked to Scattered Spider ransomware attack.
- Tech Monitor: Cyberattack at Marks & Spencer, suspected to involve Scattered Spider hackers.
- www.bleepingcomputer.com: Marks & Spencer breach linked to Scattered Spider ransomware attack
- www.helpnetsecurity.com: Threat actors are from Scattered Spider, and that M&S’s virtual machines on VMware ESXi hosts have been encrypted with the DragonForce encryptor
- Help Net Security: Marks & Spencer cyber incident linked to ransomware group
- blog.checkpoint.com: The incident report details the significant disruptions to the retailer's systems, prompting the suspension of online orders and refunds for impacted customers.
- Check Point Research: The British retailer Marks & Spencer (M&S) experienced a cyber-attack that caused disruptions to its online order system and in-store contactless payments.
- Danny Palmer: The Co-op has been forced to shut down parts of its IT system after discovering an attempted hack only days after the fellow retailer Marks & Spencer faced a serious cyber incident.
- Silicon Republic: M&S woes continue as Scattered Spider ransomware suspected
- ComputerWeekly.com: The infamous Scattered Spider hacking collective may have been behind the ongoing cyber attack on Marks and Spencer that has crippled systems at the retailer and left its ecommerce operation in disarray.
- www.cybersecurity-insiders.com: DragonForce Ransomware behind Mark and Spencer digital outage
- www.cybersecurity-insiders.com: Almost a week ago, renowned UK-based retailer Marks & Spencer (M&S) became the victim of a devastating cyber attack that left the company in full-blown disruption mode.
- Metacurity: Scattered Spider might be behind M&S attack
- cyberinsider.com: Marks & Spencer has disclosed a cyberattack targeting its internal systems, leading to disruptions in back-office and customer support operations. While the incident prompted precautionary security measures, all retail stores, funeral homes, and quick commerce services remain open and fully operational.
- Risky Business Media: British retail stalwart Marks & Spencer gets cybered
- www.standard.co.uk: Cybersecurity researchers reported a ransomware attack on Marks & Spencer, impacting online ordering and financial systems, which was attributed to the Scattered Spider group.
- ComputerWeekly.com: The cyberattack on Marks & Spencer (M&S) is linked to the notorious Scattered Spider group.
- Searchlight Cyber: Scattered Spider Linked to Marks & Spencer Cyberattack
- thecyberexpress.com: Marks & Spencer Confirms Cybersecurity Incident After Days of Service Disruptions
Pierluigi Paganini@Security Affairs
//
The Interlock ransomware group has claimed responsibility for a cyberattack on DaVita, a major kidney dialysis firm with over 2,600 U.S. dialysis centers and 76,000 employees across 12 countries. DaVita disclosed to the U.S. Securities and Exchange Commission (SEC) that they suffered a ransomware attack on April 12th affecting some operations. The company is currently investigating the impact of the incident which is the latest in a surge of ransomware attacks hitting US healthcare organizations.
Earlier today, the Interlock ransomware gang claimed responsibility for the attack by adding DaVita to its list of victims. The group has started leaking data allegedly stolen from the organization, claiming to have exfiltrated over 1.5 TB of data. The healthcare sector is increasingly under siege from cybercriminals, with ransomware attacks posing a significant threat to operational integrity and patient safety. This incident underscores the urgency for healthcare organizations to bolster their cybersecurity defenses to effectively counter these evolving threats.
Ransomware attacks in the healthcare sector can have severe implications for patient care and safety. The DaVita attack disrupted internal operations and encrypted certain on-premises systems, affecting the delivery of essential medical services. Though patient care at DaVita centers and patients' homes continued, the incident highlights the potential for treatment delays and compromised patient safety. Following the attack, DaVita disclosed the incident to the U.S. Securities and Exchange Commission (SEC), indicating the regulatory scrutiny that healthcare organizations face in the aftermath of cyberattacks.
Recommended read:
References :
- securityaffairs.com: The Interlock ransomware gang claimed responsibility for the attack on the leading kidney dialysis company DaVita and leaked alleged stolen data.
- BleepingComputer: BleepingComputer on Interlock ransomware claims DaVita attack and leaks stolen data
- hackread.com: Ransomware Surge Hits US Healthcare: AOA, DaVita and Bell Ambulance Breached
- www.cysecurity.news: Cyberattacks Hit U.S. Healthcare Firms, Exposing Data of Over 236,000 People
- CyberInsider: Claims by Interlock of data theft from DaVita.
- bsky.app: The Interlock ransomware gang has claimed the cyberattack on DaVita kidney dialysis firm and leaked data allegedly stolen from the organization.
- www.redpacketsecurity.com: [INTERLOCK] – Ransomware Victim: DaVita
- cyberinsider.com: Cyber Insider: Interlock Ransomware Group Claims DaVita Attack, Leaks Over 1.5 TB of Data.
- hackread.com: Interlock Ransomware Say It Stole 20TB of DaVita Healthcare Data
- www.scworld.com: Interlock takes credit for DaVita hack
ross.kelly@futurenet.com (Ross@Latest from ITPro in News
//
Marks & Spencer (M&S), a major British retailer, has confirmed that it is currently managing a cybersecurity incident. This confirmation follows several days of reported service disruptions affecting store operations and customer experiences. The company issued a statement acknowledging the incident and apologized to customers for any inconvenience caused. M&S has implemented operational changes to protect the business and its customers during this time.
Customer impact includes disruptions to contactless payments, online orders, and the Click & Collect service. Some customers reported issues as far back as Saturday through social media platform X, ranging from returns being unavailable to Click & Collect orders being delayed or unavailable. While M&S stated that stores remain open, the website and app are operating normally, and contactless payments are working again, the company is working hard to resolve the remaining technical issues. M&S claims it serves 32 million customers every year.
In response to the cyber incident, Marks & Spencer has engaged external cybersecurity experts to investigate the matter and strengthen its network security. The company has also notified the Information Commissioner's Office (ICO) and the National Cyber Security Centre (NCSC). While the exact nature of the cyberattack and the extent of any potential data breach have not been fully disclosed, M&S has assured customers that it is taking the situation seriously and will provide updates as appropriate. Customer trust is incredibly important to the company and if the situation changes an update will be provided as appropriate.
Recommended read:
References :
- CyberInsider: Marks & Spencer (M&S) has confirmed it is responding to a cybersecurity incident that has caused disruptions across its UK retail operations, including outages in payment systems and delays in store services such as order pick-ups and click-and-collect.
- techcrunch.com: The company said it was necessary to make operational changes to protect the business.
- www.itpro.com: Retail giant Marks & Spencer (M&S) has revealed it has been dealing with a “cyber incident†in recent days and apologized to customers amid disruption complaints.
- The Register - Security: Retailer tight-lipped on details as digital hiccup disrupts customer orders UK high street mainstay Marks & Spencer told the London Stock Exchange this afternoon it has been managing a "cyber incident" for "the past few days."…
- cyberinsider.com: Marks & Spencer (M&S) has confirmed it is responding to a cybersecurity incident that has caused disruptions across its UK retail operations, including outages in payment systems and delays in store services such as order pick-ups and click-and-collect.
- Zack Whittaker: New, by me: Marks & Spencer has confirmed a cyber incident, as customers report disruption and outages. The U.K.-headquartered retail giant said it made operational changes to "protect" the business, and has notified data protection authorities.
- The DefendOps Diaries: The Defend Ops Diaries article on Marks & Spencer Cyberattack: A Wake-Up Call for Retail Cybersecurity
- securityaffairs.com: Marks & Spencer (M&S) is managing a cyber incident
- techcrunch.com: TechCrunch article on Marks & Spencer confirms cybersecurity incident amid ongoing disruption
- BleepingComputer: Marks & Spencer confirms a cyberattack as customers face delayed orders
- ComputerWeekly.com: Cyber attack downs systems at Marks & Spencer
- www.cybersecurity-insiders.com: Mark & Spencer hit by Cyber Attack on Easter
- hackread.com: M&S Cyberattack Disrupts Contactless Payments and Click & Collect Services
- www.scworld.com: Marks & Spencer disrupted by cyberattack
- thecyberexpress.com: UK retail giant Marks & Spencer has confirmed it is managing a cybersecurity incident, following several days of service disruption that affected store operations and customer experiences.
- Tech Monitor: Marks & Spencer hit by cyberattack, services disrupted
- The Record: In a statement filed to London’s stock exchange on Tuesday afternoon, retailer Marks & Spencer said it made “some minor, temporary changes to our store operations†as soon as it became aware of the incident.
- bsky.app: Marks & Spencer (M&S) has disclosed that it is responding to a cyberattack over the past few days that has impacted operations, including its Click and Collect service. https://www.bleepingcomputer.com/news/security/marks-spencer-confirms-a-cyberattack-as-customers-face-delayed-orders/
- hackread.com: Marks & Spencer (M&S) cyberattack disrupts contactless payments and Click & Collect; investigation launched as retailer apologises and…
- techinformed.com: TechInformed report on M&S cyber attack impacting click and collect.
- www.cybersecurity-insiders.com: Mark & Spencer hit by Cyber Attack on Easter
- TechInformed: M&S cyber attack impacts click and collect and contactless payments
- The Register - Security: M&S takes systems offline as 'cyber incident' lingers
- ComputerWeekly.com: M&S systems remain offline days after cyber incident
- BleepingComputer: Marks & Spencer pauses online orders after cyberattack
- The Register - Security: M&S suspends all online orders as 'cyber incident' issues worsen
- bsky.app: M&S stops online orders following cyber attack. Fall-out from this cyber attack is getting worse not better 4 days after customers were alerted to an attack.
- bsky.app: Bsky social network post about Marks & Spencer pausing online sales after cyberattack
- ComputerWeekly.com: M&S systems remain offline days after cyber incident
- www.itpro.com: M&S suspends online sales as 'cyber incident' continues
- cyberinsider.com: Marks & Spencer Suspends Online Orders Amid Ongoing Cyber Incident
- The DefendOps Diaries: Marks & Spencer Cyberattack: Operational Disruptions and Strategic Responses
- CyberInsider: Marks & Spencer Suspends Online Orders Amid Ongoing Cyber Incident
- bsky.app: Marks & Spencer has paused online orders for customers.
- go.theregister.com: One step forward and one step back as earlier hopes of progress dashed by latest update Marks & Spencer has paused online orders for customers via its website and app as the UK retailer continues to wrestle with an ongoing "cyber incident."
- Check Point Research: For the latest discoveries in cyber research for the week of 28th April, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES British retailer Marks & Spencer (M&S) experienced a cyber-attack that caused disruptions to its online order system and in-store contactless payments.
- www.bleepingcomputer.com: Marks & Spencer pauses online orders after cyberattack
- bsky.app: Ongoing outages at British retail giant Marks & Spencer are caused by a ransomware attack believed to be conducted by a hacking collective known as "Scattered Spider"
- BleepingComputer: Ongoing outages at British retail giant Marks & Spencer are caused by a ransomware attack believed to be conducted by a hacking collective known as "Scattered Spider" BleepingComputer has learned from multiple sources.
- BleepingComputer: Ongoing outages at British retail giant Marks & Spencer are caused by a ransomware attack believed to be conducted by a hacking collective known as "Scattered Spider"
- www.bleepingcomputer.com: Ongoing outages at British retail giant Marks & Spencer are caused by a ransomware attack believed to be conducted by a hacking collective known as Scattered Spider BleepingComputer has learned from multiple sources.
- Help Net Security: The “cyber incident†that British multinational retailer Marks & Spencer has been struggling with for over a week is a ransomware attack, multiple sources have asserted.
- DataBreaches.Net: Multiple sources inform them that the outages at UK retail giant Marks & Spencer are the result of a ransomware attack by the group known as Scattered Spider.
- bsky.app: Cyber security website @bleepingcomputer.com now reporting that the M&S hackers could be from Scattered Spider. This infamous hacking crew is behind a string of attacks in the last 2 years and its members include English-speaking teenagers. https://www.bleepingcomputer.com/news/security/marks-and-spencer-breach-linked-to-scattered-spider-ransomware-attack/
- ComputerWeekly.com: The infamous Scattered Spider hacking collective may have been behind the ongoing cyber attack on Marks and Spencer.
- hackread.com: The cyberattack on Marks & Spencer (M&S) is linked to the notorious Scattered Spider group. Explore the severe…
- Tech Monitor: Cyber incident at Marks & Spencer suspected to involve Scattered Spider hackers
ross.kelly@futurenet.com (Ross@Latest from ITPro
//
Hertz Corporation has announced a data breach affecting customers of its Hertz, Thrifty, and Dollar car rental brands. The breach stems from the exploitation of Cleo zero-day vulnerabilities in late 2024. Customer data, including personal information and driver's licenses, was stolen. The company confirmed the breach on February 10, 2025, stating that an unauthorized third party acquired Hertz data by exploiting vulnerabilities within Cleo's platform in October and December 2024.
The stolen data varies depending on the region, but generally includes customer names, dates of birth, contact information, driver's licenses, payment card information, and workers' compensation claims. In some instances, Social Security numbers and other government-issued identification numbers were also compromised. Notices about the breach have been posted on Hertz websites for customers in Australia, Canada, the European Union, New Zealand, the United Kingdom, and several U.S. states, including California, Maine, and Texas. Hertz has disclosed that at least 3,400 customers in Maine and some 96,665 customers in Texas were affected.
The company attributed the breach to vulnerabilities in Cleo's software, which was targeted by the Clop ransomware gang in 2024. This breach highlights the significant cybersecurity risks associated with third-party vendors and the potential for mass data theft. It is another example of the widespread consequences that can occur from zero-day exploits in widely used enterprise file transfer products. Those affected have been advised to take precautions to protect their personal and financial information.
Recommended read:
References :
- securityaffairs.com: Hertz disclosed a data breach following 2024 Cleo zero-day attack
- techcrunch.com: Hertz says customers’ personal data and driver’s licenses stolen in data breach
- The DefendOps Diaries: Hertz Data Breach: Lessons in Cybersecurity and Vendor Management
- www.bleepingcomputer.com: Hertz confirms customer info, drivers' licenses stolen in data breach
- Zack Whittaker: New by me: Car rental giant Hertz has confirmed a data breach affecting customers' personal information, driver's licenses, and payment card data. Customers worldwide are being notified.
- techcrunch.com: Hertz says customers' personal data and driver's licenses stolen in data breach
- BleepingComputer: Car rental giant Hertz Corporation warns it suffered a data breach after customer data for its Hertz, Thrifty, and Dollar brands was stolen in the Cleo zero-day data theft attacks.
- www.itpro.com: Cleo attack victim list grows as Hertz confirms customer data stolen – and security experts say it won't be the last
- Malwarebytes: Hertz data breach caused by CL0P ransomware attack on vendor Cleo
- PCMag UK security: Hackers Stole Credit Card, Driver's License Info in Hertz Data Breach
- Zack Whittaker: Hertz won't say how many are affected by its breach, but continues to notify U.S. states, giving a little indication of the numbers. Per its filing in Texas today, Hertz said 96,665 Texas residents are affected. Plus 3,400 people in Maine and that's already 100,000+ people in two states alone.
- www.cybersecuritydive.com: Hertz says personal data breached in connection with Cleo file-transfer flaws
- ComputerWeekly.com: Hertz warns UK customers of Cleo-linked data breach
- The Register - Security: Where it Hertz: Customer data driven off in Cleo attacks
- cyberinsider.com: Hertz Confirms Data Breach Following Clop Ransomware Leaks
- cyberinsider.com: Analysis of how the Clop ransomware group exploited zero-day vulnerabilities to compromise Hertz's systems
- Help Net Security: Car rental company Hertz suffers a data breach from exploitation of vulnerabilities in third-party software.
- hackread.com: Hertz Confirms Data Breach After Hackers Stole Customer PII
@hackread.com
//
The Medusa ransomware group has claimed responsibility for a cyberattack on NASCAR, alleging the theft of over 1TB of data. In a posting on its dark web leak site, Medusa has demanded a $4 million ransom for the deletion of NASCAR's data. The group has placed a countdown timer on the leak site, threatening to make the stolen data available to anyone on the internet after the deadline. The countdown deadline can be extended at a cost of $100,000 per day.
To verify its claim, Medusa has published screenshots of what it claims are internal NASCAR documents. These include names, email addresses, and phone numbers of NASCAR employees and sponsors, as well as invoices, financial reports, and more. Furthermore, the ransomware gang has published a substantial directory illustrating NASCAR's internal file structure and the names of documents that have been exfiltrated. While NASCAR has not yet confirmed or denied reports of the attack, the details published by Medusa on its leak site appear credible.
The Medusa ransomware group operates under a ransomware-as-a-service (RaaS) model and is known for its double extortion tactics. The FBI and CISA issued a joint cybersecurity advisory last month warning that Medusa ransomware had impacted over 300 organizations, including those in critical infrastructure sectors such as medical, education, legal, insurance, technology, and manufacturing. Past victims include Minneapolis Public Schools, which refused to pay a million-dollar ransom and saw approximately 92 GB of stolen data released to the public.
Recommended read:
References :
- Rescana: Rescana post about the ransomware attack on NASCAR
- hackread.com: Medusa Ransomware Claims NASCAR Breach in Latest Attack, Demands $4M Ransom
- bsky.app: Medusa ransomware gang claims to have hacked NASCAR. https://www.bitdefender.com/en-us/blog/hotforsecurity/medusa-ransomware-hacked-nascar
- cybersecuritynews.com: The Medusa ransomware group has reportedly launched a major cyberattack on the National Association for Stock Car Auto Racing (NASCAR), demanding a $4 million ransom to prevent the release of sensitive data.
- www.bitdefender.com: Medusa ransomware gang claims to have hacked NASCAR The Medusa ransomware-as-a-service (RaaS) claims to have compromised the computer systems of NASCAR, the United States' National Association for Stock Car Auto Racing, and made off with more than 1TB of data.
- www.cysecurity.news: Hackers Demand $4 Million After Alleged NASCAR Data Breach. The motorsports industry has recently been faced with troubling news that NASCAR may have become the latest high-profile target for a ransomware attack as a result of the recent hackread.com report.
- Cyber Security News: Medusa Ransomware Claims NASCAR Hack, Demands $4 Million Ransom
Rob Wright@gcp.cybersecuritydive.com
//
Sensata Technologies, a global manufacturer of sensors and industrial technology, has disclosed a recent ransomware attack that significantly disrupted its operations. The Massachusetts-based company, which has sites in approximately a dozen countries, informed the U.S. Securities and Exchange Commission (SEC) about the incident, revealing that it forced the company to take its network offline. The attack, which began on Sunday, April 6th, impacted critical functions, including shipping, receiving, manufacturing production, and other support services. Sensata has engaged law enforcement and cybersecurity experts to investigate the breach and restore its systems.
The preliminary investigation has uncovered evidence indicating that files were exfiltrated from Sensata's environment. The company is currently working to identify the compromised files and will notify affected individuals and regulators in accordance with applicable laws. While interim measures have been implemented to restore certain functions, the timeline for a full recovery remains uncertain. Sensata is an industrial technology company with over 19,000 employees.
Despite the operational disruptions, Sensata initially stated that it does not expect the ransomware attack to have a material impact on its financial results for the current quarter. However, the company noted that the full scope and impact of the attack are still being assessed, and this determination could change. Sensata Technologies, known for its work on the Apollo 11 moon mission and Hubble space telescope upgrades, ships approximately 1 billion units of product annually. As of Wednesday evening, no ransomware gang had claimed responsibility for the attack.
Recommended read:
References :
- The Register - Security: The Register article describing that US sensor giant Sensata admits to ransomware issues
- therecord.media: The Record article about Sensata Technologies ransomware attack.
- www.cybersecurity-insiders.com: Cybersecurity Insiders article about Sensata Technologies hit by a ransomware attack.
- www.cybersecuritydive.com: Cybersecurity Dive article about Sensata Technologies being disrupted.
- The Dysruption Hub: A ransomware attack on Sensata Technologies disrupted production and logistics across global operations, prompting a federal investigation.
- Jon Greig: Billion-dollar industrial technology company Sensata Technologies warned investors on Wednesday of a ransomware attack that is impacting "shipping, receiving, manufacturing production, and various other support functions"
- www.cybersecurity-insiders.com: Ransomware attack on Sensata Technologies.
- www.silentpush.com: Ransomware attack disrupts Sensata Technologies operations
Pierluigi Paganini@securityaffairs.com
//
A new ransomware group named Arkana Security is claiming responsibility for breaching WideOpenWest (WOW!), one of the largest U.S. cable and broadband providers. Arkana Security also claims the hack of US telco provider WideOpenWest (WOW!). This nascent ransomware gang’s breach purportedly compromised over 403,000 WOW! user accounts, pilfering data, including full names, usernames, salted passwords, email addresses, login histories, and security questions and answers.
The attackers boast of full backend control and have even created a music video montage to demonstrate their level of access. Additionally, they claim to have exfiltrated a separate CSV file with 2.2 million records, including names, addresses, phone numbers, and devices. While WOW! has yet to acknowledge Arkana Security's claims, threat researchers traced the attack's origins to an infostealer infection in September last year that enabled access to WOW!'s critical systems.
Recommended read:
References :
- Cyber Security News: The largest US internet provider, WideOpenWest (WOW!), is allegedly compromised by Arkana Security, a recently discovered ransomware group.
- securityaffairs.com: Arkana Security, a new ransomware group, claims to have breached the telecommunications provider WideOpenWest (WOW!), stealing customer data.
- www.scworld.com: WideOpenWest purportedly breached by nascent ransomware gang
- CyberInsider: Arkana ransomware group has claimed responsibility for breaching WideOpenWest (WOW!), one of the largest U.S. cable and broadband providers.
- BleepingComputer: The new ransomware group Arkana Security claims to have hacked US telecom provider WOW!, stealing customer data.
- Information Security Buzz: A new ransomware gang, Arkana Security, is claiming responsibility for an enormous breach at WideOpenWest (WoW), one of the largest cable operators and ISPs in the US. The malicious actors boasted they had full backend control and even put a music video montage together to illustrate exactly how much access they had.
- DataBreaches.Net: A cyber-crime ring calling itself Arkana has made a cringe music video to boast of an alleged theft of subscriber account data from Colorado-based cableco WideOpenWest (literally, WOW!)
- PCMag UK security: Hacking group Arkana Security gives WideOpenWest (WOW!) until 5 p.m. PST today to pay a ransom, or it will sell customer data to the highest bidder. WOW! says it's investigating.
- The Register - Security: Cyber-crew claims it cracked American cableco, releases terrible music video to prove it
- www.csoonline.com: A new ransomware gang, Arkana Security, is claiming responsibility for an enormous breach at WideOpenWest (WoW), one of the largest cable operators and ISPs in the US.
- Talkback Resources: Arkana Security group claims the hack of US telco provider WideOpenWest (WOW!)
- www.pcmag.com: Cybercrime Gang Says It Hacked This US ISP, Stole Info on 403K Customers
- www.scworld.com: A cyber-crime ring calling itself Arkana has made a cringe music video to boast of an alleged theft of subscriber account data from Colorado-based cableco WideOpenWest (literally, WOW!)
|
|
FlagThis - #ransomwareattack