CySecurity News - Latest Information Security and Hacking Incidents: CyberCrime

AI AI-Healthcare system Cyber Hygiene CyberCrime Cybersecurity Da Vita Data Breach Digital threats Healthcare Security patient privacy Ransomware

Millions of Patient Records Compromised After Ransomware Strike on DaVita

Healthcare Faces Growing Cyber Threats

A ransomware attack that affected nearly 2.7 million patients has been confirmed by kidney care giant DaVita, revealing that one of the most significant cyberattacks of the year has taken place. There are over 2,600 outpatient dialysis centres across the United States operated by the company, which stated that the breach was first detected on April 12, 2025, when the security team found unauthorised activity within the company's computer systems. In the aftermath of this attack, Interlock was revealed to have been responsible, marking another high-profile attack on the healthcare industry.

Although DaVita stressed the uninterrupted delivery of patient care throughout the incident, and that all major systems have since been fully restored - according to an official notice issued on August 1 - a broad range of sensitive personal and clinical information was still exposed through the compromise. An attacker was able to gain access to a variety of information, such as name, address, date of birth, Social Security number, insurance data, clinical histories, dialysis treatment details, and laboratory results, among others.

It represents a deep invasion of privacy for millions of patients who depend on kidney care for life-sustaining purposes and raises new concerns about the security of healthcare systems in general.

Healthcare Becomes A Cyber Battlefield

The hospital and healthcare industry, which has traditionally been seen as a place of healing, is becoming increasingly at the centre of digital warfare. Patient records are packed with rich financial and medical information, which can be extremely valuable on dark web markets, as compared to credit card information.

While hospitals are under a tremendous amount of pressure to maintain uninterrupted access to their systems, any downtime in the system could threaten patients' lives, which makes them prime targets for ransomware attacks.

Over the past few months, millions of patients worldwide have been affected by breaches that have ranged from the theft of medical records to ransomware-driven disruptions of services. As well as compromising privacy, these attacks have also disrupted treatment, shaken public trust, and increased financial burdens on healthcare organisations already stressed out by increasing demand.

A troubling trend is emerging with the DaVita case: in the last few years, cybercriminals have progressively increased both the scale and sophistication of their campaigns, threatening patient safety and health. DaVita’s Ransomware Ordeal. It was reported that DaVita had confirmed the breach in detail on August 21, 2025, and that it filed disclosures with the Office for Civil Rights of the U.S. Department of Health and Human Services.

Intruders started attacking DaVita's facility on March 24, 2025, but were only removed by April 12 after DaVita's internal response teams contained the attack. Several reports indicate that Interlock, the ransomware gang that was responsible for the theft of the data, released portions of the data online after failing to negotiate with the firm. Although the critical dialysis services continued uninterrupted, as is a priority given the fact that dialysis is an essential treatment, the attack did temporarily disrupt laboratory systems. There was an exceptionally significant financial cost involved.

According to DaVita's report for the second quarter of 2025, the breach had already incurred a total of $13.5 million in costs associated with it. Among these $1 million, $1 million has been allocated to patient care costs relating to the incident, while $12.5 million has been allocated to administrative recovery, system restoration, and cybersecurity services provided by professional third-party service providers.

Expansion of the Investigation

According to DaVita's Securities and Exchange Commission filings in April 2025, it first acknowledged that there had been a security incident, but it said that the scope of the data stolen had not yet been determined. During the months that followed, forensic analysis and investigations expanded. State Attorneys General were notified, and the extent of the problem began to be revealed: it was estimated that at least one million patients were affected by the virus. As more information came to light, the figures grew, with OCR's breach portal later confirming 2,688,826 victims.

DaVita, based on internal assessments, believed that the actual number of victims may be slightly lower, closer to 2.4 million, and the agency intends to update its portal in accordance with those findings. Although the company is struggling with operational strains, it has assured its patients that it will continue providing dialysis services through its 3,000 outpatient centres and home-based programs worldwide – a sign of stability in the face of crisis, given that kidney failure patients require life-saving treatment that cannot be avoided.

Even so, the attack underscored just how severe financial and reputational damage such incidents can have. This will mean that the cost of restoring systems, engaging cybersecurity experts and providing patients with resources such as credit monitoring and data protection will likely continue to climb in the coming months.

Data Theft And Interlock’s Role

It appears that Interlock has become one of the most aggressive ransomware groups out there since it appeared in 2024. In the DaVita case, it is said that the gang stole nearly 1.5 terabytes of data, including approximately 700,000 files. In addition to the patient records, the stolen files were also suspected to contain insurance documents, user credentials, and financial information as well.

A failed negotiation with DaVita caused Interlock to publish parts of the data on its dark web portal, after which parts of the data were published. On June 18, DaVita confirmed that some of the files were genuine, tracing them back to the dialysis laboratory systems they use. As part of its public statement, the company stated that it had acknowledged that the lab's database had been accessed by unauthorised persons and that it would notify both current and former patients.

Additionally, DaVita has begun to provide complimentary credit monitoring services as part of its efforts to reduce risks. Interlock's services go well beyond DaVita as well. Several universities in the United Kingdom have been attacked by a remote access trojan referred to as NodeSnake, which was deployed by the group in recent campaigns.

Recent reports indicate that the gang has also claimed responsibility for various attacks on major U.S. healthcare providers, including a major organisation with more than 120 outpatient facilities and 15,000 employees, known as Kettering Health. Cyberattacks on healthcare have already proven to be a sobering reminder of how varied and destructive they can be. Each major breach has its own particular lessons that need to be taken into account:

The Ascension case shows how a small mistake made by a single employee can escalate into a huge problem that affects every employee. The Yale New Haven Health System shows that institutions that have well-prepared strategies are vulnerable to persistent adversaries despite their best efforts. It was revealed by Episource that third-party and supply chain vulnerabilities can result in significant damage to a network, showing how the impact of a single vendor breach may ripple outward.

Putting one example on display, DaVita shows how the disruption caused by ransomware is different from other disruptions, as it involves both data theft and operational paralysis. There have been incidents when hackers have accessed sensitive healthcare records at scale, but there have also been incidents where simple data configuration issues have led to these breaches.

In view of these incidents, it is clear that compliance-based checklists and standard security frameworks may not be sufficient for the industry anymore. Instead, the industry must be more proactive and utilise intelligence-driven defences that anticipate threats rather than merely reacting to them as they occur.

The Road Ahead For Healthcare Security

The DaVita breach is an example of a growing consensus among healthcare providers that their cybersecurity strategies must be strengthened to match the sophistication of modern attackers.

Cybercriminals value patient records as one of their most valuable assets, and every time this happens, patients' trust in their providers is undermined directly. Additionally, the operational stakes are higher than in most industries, as any disruption can put patients' lives at risk, which is why every disruption can be extremely dangerous.

Healthcare organisations in emerging countries, as well as hospitals in India, need to invest in layered defences, integrate threat intelligence platforms, and strengthen supply chain monitoring, according to security experts. Increasingly, proactive approaches are viewed as a necessity rather than an option for managing attack surfaces, prioritising vulnerabilities, and continually monitoring the dark web. Consequently, the DaVita case is more than just an example of how a single company suffered from ransomware.

It's also a part of a wider pattern shaping what the future of healthcare will look like. There is no doubt that in this digital age, where a breach of any record can lead to death or injury, it is imperative to have foresight, invest in cybersecurity, and recognise that it is on an equal footing with patient care. It has become evident that healthcare cybersecurity needs to evolve beyond reactive measures and fragmented defences as a result of these developments.

In today's world, digital security cannot simply be treated as a side concern, but rather must be integrated into the very core of a patient care strategy, which is why the industry must pay close attention to it. Taking a forward-looking approach to cyber hygiene should prioritise investments in continuous cyber hygiene, workforce awareness in cybersecurity, and leveraging new technologies such as zero-trust frameworks, advanced threat intelligence platforms, and artificial intelligence (AI)-driven anomaly detection systems.

The importance of cross-industry collaboration cannot be overstated: it requires shared standards to be established and the exchange of real-time intelligence to be achieved, so hospitals, vendors, regulators, and cybersecurity providers can collectively resist adversaries who operate no matter what borders or industries are involved.

By reducing risks, such measures will also allow people to build patient trust, reduce recovery costs, and ensure uninterrupted delivery of essential care, as well as create long-term value. In the healthcare sector that is becoming increasingly digitalised and interdependent, the organisations that proactively adopt layered defences and transparent communication practices will not only be able to mitigate threats but also position themselves as leaders in a hostile cyber environment that is ripe with cyber threats.

Clearly, if the patients' lives are to be protected in the future, the protection of their data must equally be paramount.

Cybercriminals Steal Thousands of Guest ID Documents from Italian Hotels



 

Identity Theft

CERT Cyberattack CyberCrime Dark Web Data Breach Digital Vulnerability FBI Hospitality Security Identity Theft

Cybercriminals Steal Thousands of Guest ID Documents from Italian Hotels

Thousands of travellers have been left vulnerable to cyberattacks caused by hotel systems that have been breached by a sweeping cyberattack. Identities that have been stolen from hotel systems are now circulating on underground forums. According to the government's Agency for Digital Italy (CERT-AGID), the breach has now become among the most significant data security incidents to have struck the country's tourism industry in recent years due to the breach that has been confirmed by the agency.

According to an FBI report, a hacker using the alias “mydocs” is suspected of gaining access to hotel reservation platforms from June to August, allowing them to download high-resolution copies of passports, identification cards, and other identity documents obtained during guest check-in. This hacker has been selling a total of over 90,000 documents on well-known cybercrime forums, spread across a number of batches.

Hotels and Guests Caught Off Guard

A total of ten hotels have been confirmed to have been affected by the theft, but officials warn that this number may increase as the investigation continues. It has been observed that CERT-AGID has already intercepted at least one attempt to resell the data illegally, which suggests that much of the information being offered is genuinely accurate rather than exaggerated, as is often the case within cybercriminal circles. Passports, as well as national identification cards, are of particular value because of their potential for abuse, which means that they are particularly valuable.

There is a possibility that fraudsters can exploit this information to create false identities, open accounts with banks, or launch sophisticated social engineering attacks in an effort to fool the victim into divulging even more personal information. It is stated in the CERT-AGID public advisory that the possible consequences for those affected are "serious, both legally and financially."

The Scale of the Breach

Hotels are being questioned about how much information they keep, and for how long, based on the scope of the breach. In spite of the fact that the incidents are believed to have occurred between June and July, investigators can't rule out the possibility that years of archived guest scans were hacked. Several travelers would have been affected beyond the tens of thousands confirmed to have been affected, which is a significant increase in the number of affected travellers.

There has been a report on the Ca’ dei Conti in Veneto, a four-star hotel in Venice, that was among the properties that were targeted. According to Corriere del Veneto, as many as 38,000 guest records have been gathered at this hotel, which demonstrates just how large the attack has been. It has been reported that stolen data is being offered on the dark web for sale at a price ranging from $937 to $11,714 per tranche, depending on the size and type of the data.

A Familiar Target for Cybercriminals

There has been a troubling pattern of attacks in the hospitality sector for some time now. As a result of collecting a combination of financial and identity data from millions of guests each year, hotels have always been a target for hackers. Due to their old IT systems, fragmented digital platforms, and global nature, they are a relatively easy target and high in value.

In April of this year, CERT-AGID interrupted a separate smishing campaign aimed at stealing Italian citizens' identification documents. It was found that the attackers asked victims to send selfies with their identification cards as a way to increase the value of stolen credentials for fraudulent activity and impersonation schemes. This was done as a result of the fact that multiple, unrelated operations have emerged within the last few months, demonstrating the growing demand for identity data on criminal markets for a variety of reasons.

How the Data Can Be Abused

It is important to note that cybersecurity experts warn that stolen identity scans can be reused in several ways that travellers might not anticipate. Besides the obvious risks of opening a bank account or applying for a loan, criminals can also use this information to rent properties or commit tax fraud or circumvent identity checks on the web. These documents can form the basis of long-term fraud campaigns when combined with other leaked information, such as email addresses and telephone numbers, that has been leaked.

The authorities are warning anyone who stayed in an Italian hotel over the summer to keep an eye out for red flags such as credit inquiries, unusual account activity, or unsolicited bank correspondence. It is not uncommon for the first signs of misuse to emerge weeks or even months after the initial breach has taken place.

Industry Response and Urgency

It has been urged that hotels and other organisations that handle identity information take immediate steps to strengthen their defences. In the agency's advisory, it was stressed that businesses had to go beyond simply complying with data processing laws, and should adopt robust digital security practices, from encrypted storage to stronger authentication protocols as well as regular audits of their systems.

The increase in illicit identity document sales confirms that increased awareness and protective measures should be taken by both the organisations that manage them and the citizens themselves, according to a statement released by the agency. Italy, where tourism is a significant part of its national economy, faces both economic and reputational risks as a consequence of the incident.

There are millions of visitors who each year submit sensitive information to websites in the hope that their privacy will be protected. Experts warn, however, that if breaches of this scale continue, it will have a long-term impact on public trust in the industry.

A Warning for the Global Hospitality Industry

There is no doubt that the "mydocs" case is a wake-up call for Italy, but it is also a wake-up call for the entire international hotel industry. Hotels around the world have adopted digital check-in tools and automated identification verification tools for the purpose of protecting sensitive data, often without the required security measures to protect them.

As investigators continue to uncover the extent of this breach, it is becoming increasingly clear that cybersecurity must now take precedence in an industry where efficiency and convenience often dominate. When there is no stronger protection in place, hotels risk becoming prime hunting grounds for identity thieves, leaving guests to pay for their actions long after they have checked out of their hotel.

Hotel businesses in Italy are facing a breach that is more than a cautionary tale. It is also an opportunity for their approach to digital trust to be reevaluated. The problem with maintaining guests’ confidence has become increasingly important in an age where privacy and security are key components of customer expectations, and hotels and tourism operators face the challenge of complying with regulatory requirements as well.

Providing a high-quality service to guests must include a strong emphasis on cybersecurity, just as much as comfort and convenience. Investing in stronger encryption systems, secure data storage, periodic penetration testing, and employee awareness programs can considerably reduce risks, while partnering with cybersecurity firms may allow people to add a further layer of protection.

It is also important for guests to take steps to safeguard themselves against misuse of their credit reports by monitoring credit reports, using identity protection services, and limiting the sharing of unnecessary documents during check-in. The headlines of this incident emphasise the alarming reality of stolen identities, but if this incident prompts meaningful change in the future, it is likely to be one of resilience.

Taking decisive action now could not only enable Italy's hospitality sector to recover from this blow but also be a driving force in setting a new benchmark for digital safety in global tourism in the future.

Scammers Can Pinpoint Your Exact Location With a Single Click Warns Hacker



 

Spyware and Stalkerware

CyberCrime Cybersecurity awareness Data location tracking Phishing Scams Privacy Spyware and Stalkerware

Scammers Can Pinpoint Your Exact Location With a Single Click Warns Hacker

With the advent of the digital age, crime has steadily migrated from dark alleys to cyberspace, creating an entirely new type of criminal enterprise that thrives on technology. The adage that "crime doesn't pay" once seemed so absurd to me; now that it stands in stark contrast with the reality of cybercrime, which has evolved into a lucrative and relatively safe form of illegal activity that is also relatively risk-free.

While traditional crime attracts a greater degree of exposure and punishment, cybercriminals enjoy relative impunity. There is no question that they exploit the gaps in digital security to make huge profits while suffering only minimal repercussions as a result. A study conducted by Bromium security firm indicates that there is a significant underground cyber economy, with elite hacker earnings reaching $2 million per year, middle-level cybercriminals earning $900,000 a year, and even entry-level hackers earning $42,000 a year.

As cybercrime has grown in size, it has developed into a booming global industry that attracts opportunists, who are looking for new opportunities to take advantage of hyperconnectedness. Several deceptive tactics are currently proliferating online, but one of the most alarming is the false message "Hacker is tracking you".

Many deceptive tactics are being used online these days. Through the use of rogue websites, this false message attempts to create panic by claiming that a hacker has compromised the victim's device and is continuously monitoring the victim's computer activity. There is an urgent warning placed on the victim's home page warning him or her to not close the page, as a countdown timer threatens to expose their identity, browsing history, and even the photos that they are alleged to have taken with the front camera to their entire contact list.

The website that sent the warning does not possess the capability to detect threats on a user’s device. In fact, the warning is entirely fabricated by the website. Users are often tricked into downloading or installing software that is marketed as protective and is often disguised as anti-virus software or performance enhancers, thereby resulting in the download of the malicious software.

The issue with downloading such files is, however, that these often turn out to be Potentially Unwanted Applications (PUAs), such as adware, browser hijackers, and other malicious software. It is often the case that these fraudulent websites are reached through mistyped web addresses, redirects from unreliable websites, or intrusive advertisements that lead to the page.

In addition to risking infections, users are also exposed to significant threats such as privacy invasions, financial losses, and even identity theft if they fall victim to these schemes. Secondly, there is the growing value of personal data that is becoming increasingly valuable to cybercriminals, making it even more lucrative than financial theft in many cases.

It is widely known that details, browsing patterns, and personal identifiers are coveted commodities in the underground market, making them valuable commodities for a variety of criminal activities, many of which extend far beyond just monetary scams. In a recent article published by the ethical hacker, he claimed that such information could often be extracted in only a few clicks, illustrating how easy it can be for an unsuspecting user to be compromised with such information.

Cybercriminals continue to devise inventive ways of evading safeguards and tricking individuals into revealing sensitive information in spite of significant advances in device security. The phishing tactic known as “quishing” is one such technique that is gaining momentum. In this case, QR codes are used to lure victims into malicious traps.

It has even evolved into the practice of fraudsters attaching QR codes to unsolicited packages, preying upon curiosity or confusion to obtain a scan. However, experts believe that even simpler techniques are becoming more common, entangling a growing number of users who underestimate how sophisticated and persistent these scams can be.

Besides scams and phishing attempts, hackers and organisations alike have access to a wide range of tools that have the ability to track a person's movements with alarming precision. Malicious software, such as spyware or stalkerware, can penetrate mobile devices, transmit location data, and enable unauthorised access to microphones and cameras, while operating undetected, without revealing themselves.

The infections often hide deep within compromised apps, so it is usually necessary to take out robust antivirus solutions to remove them. It is important to note that not all tracking takes place by malicious actors - there are legitimate applications, for example, Find My Device and Google Maps, which rely on location services for navigation and weather updates.

While most companies claim to not monetise user data, several have been sued for selling personal information to third parties. As anyone with access to a device that can be used to share a location can activate this feature in places like Google Maps, which allows continuous tracking even when the phone is in aeroplane mode, the threat is compounded.

As a matter of fact, mobile carriers routinely track location via cellular signals, which is a practice officially justified as a necessity for improving services and responding to emergencies. However, while carriers claim that they do not sell this data to the public, they acknowledge that they do share it with the authorities. Furthermore, Wi-Fi networks are another method of tracking, since businesses, such as shopping malls, use connected devices to monitor the behaviour of their consumers, thus resulting in targeted and intrusive advertising.

Cybersecurity experts continue to warn that hackers continue to take advantage of both sophisticated malware as well as social engineering tactics to swindle unsuspecting consumers. An ethical hacker, Ryan Montgomery, recently demonstrated how scammers use text messages to trick victims into clicking on malicious links that lead them to fake websites, which harvest their personal information through the use of text messages.

To make such messages seem more credible, some social media profiles have been used to tailor them so they seem legitimate. It is important to note that the threats do not end with phishing attempts alone. Another overlooked vulnerability is the poorly designed error messages in apps and websites. Error messages are crucial in the process of debugging and user guidance, but they can also be a security threat if they are crafted carelessly, as hackers can use them to gather sensitive information about users.

A database connection string, an individual's username, email address, or even a confirmation of the existence of an account can provide attackers with critical information which they can use to weaponise automated attacks. As a matter of fact, if you display the error message "Password is incorrect", this confirms that a username is valid, allowing hackers to make lists of real accounts that they can try to brute force on.

In order to reduce exposure and obscure details, security professionals recommend using generic phrases such as "Username or password is incorrect." It is also recommended that developers avoid disclosing backend technology or software versions through error outputs, as these can reveal exploitable vulnerabilities.

It has been shown that even seemingly harmless notifications such as "This username does not exist" can help attackers narrow down the targets they target, demonstrating the importance of secure design to prevent users from being exploited. There is a troubling imbalance between technological convenience and security in the digital world, as cybercrime continues to grow in importance.

The ingenuity of cybercriminals is also constantly evolving, ensuring that even as stronger defences are being erected, there will always be a risk associated with any system or device, regardless of how advanced the defences are. It is the invisibility of this threat that makes it so insidious—users may not realise the compromise has happened until the damage has been done. This can be done by draining their bank accounts, stealing their identities, or quietly monitoring their personal lives.

Cybersecurity experts emphasise that it is not just important to be vigilant against obvious scams and suspicious links, but also to maintain an attitude of digital caution in their everyday interactions. As well as updating devices, scrutinising app permissions, practising safer browsing habits, and using trusted antivirus tools, there are many other ways in which users can dramatically reduce their risk of being exposed to cybercrime.

In addition to personal responsibility, the importance of stronger privacy protections and transparent practices must also be emphasised among technology providers, app developers, and mobile carriers as a way to safeguard user data. It is the complacency of all of us that allows cybercrime to flourish in the end. I believe that through combining informed users with secure design and responsible corporate behaviour, society will be able to begin to tilt the balance away from those who exploit the shadows of the online world to their advantage.

Brokers Fuel Underground Market for Bank Accounts in India



 

Underground economy

Bank Account Fraud Cyber Fraud CyberCrime financial scams KYC Compliance Money Laundering Underground economy

Brokers Fuel Underground Market for Bank Accounts in India

An undercover investigation of India's financial ecosystem has revealed that a troubling black market is quietly emerging - a market where bank accounts are traded just as casually as consumer goods. Undercover investigations have revealed that there is a thriving network of brokers who sell unlicensed accounts for as little as ₹7,000, exposing unsuspecting citizens to grave risks.

The accounts are often created without the knowledge of the individual by using their personal credentials. These accounts are then resold to cybercriminals and used to perpetrate online scams, launder money, and circumvent financial regulations, thereby undermining the integrity of the country’s banking system. When these tools are in the hands of fraudsters, they become powerful instruments to perpetrate online scams, launder illicit money, and circumvent financial regulations.

It is well known that the purchase, sale, or rental of bank accounts constitutes a serious criminal offence and that authorities have repeatedly warned about this fact. If an account is found to be operated by someone other than its legitimate holder, or if a transaction is associated with illegal activity, a financial institution has stated that immediate action will be taken, including suspending or terminating the account without advance notice, as well as escalating the matter to the appropriate authorities.

According to investigators, these accounts are extremely valuable resources for criminal networks, who can rely on them in order to commit bank transfer scams, launder illicit funds, and bypass regulatory oversight. It is crucial to note that, even if individuals allow their accounts to be misused unintentionally, they will likely face legal consequences, since the law does not excuse negligence when it comes to financial crimes.

In addition, the investigation revealed that there are structured rate cards for the underground market, with prices determined by the transaction limits of individual accounts. As a matter of fact, accounts with a limit of one lakh transactions are often sold for around $18,000, whereas those with a limit of one lakh transactions can sell for as much as $60,000 at the higher end.

At the top end, accounts capable of performing transactions up to a crore can fetch a staggering amount of $ 6 lakhs, while accounts with a limit of five crores will fetch up to $30 lakh. There is a particularly keen interest among fraudsters orchestrating investment scams, call centre frauds, and cryptocurrency-related money laundering schemes to establish these high-limit accounts because they facilitate the transfer of large amounts of money without the immediate scrutiny of an immediate bank.

The experts at the World Economic Forum have identified the vulnerability of account opening through Business Correspondent (BC) points as one of the major enablers of this illegal trade, and in particular, the lack of appropriate physical verification often allows fraudulent accounts to slip through the cracks. According to Dr. R.S. Lohia, former executive director of a nationalised bank, criminals are exploiting the lack of rigorous Know Your Customer (KYC) enforcement as a critical weakness.

In order to dismantle this illicit economy, it is urgent that the regulatory oversight and banking surveillance be tightened. According to the investigation, this underground market operates based on a structured rate card, which determines the price of goods and services based on the transaction limit of every individual. Depending on the amount of transactions allowed, the price will vary between $18,000 and 60,000 for an account with a $1.5 lakh limit on transaction amounts, while an account with a $25 lakh limit will bring you $60,000.

On the higher end, accounts allowing transactions of up to $1.5 crore can be sold for around $6 lakh, and one allowing transactions of up to $5.5 crore can be sold for upwards of $30,000. There is a particularly keen interest among fraudsters orchestrating investment scams, call centre frauds, and cryptocurrency-related money laundering schemes to establish these high-limit accounts because they facilitate the transfer of large amounts of money without the immediate scrutiny of an immediate bank.

As the former Executive Director of a nationalised bank, Dr. Lohia expressed the concern that there is a critical weakness that criminals exploit due to the lack of stricter Know Your Customer (KYC) enforcement. It is therefore imperative that regulatory oversight is tightened and banking surveillance is strengthened in order to dismantle this illegal economy. According to the findings of this investigation, more problems lie beyond just an underground trade in bank accounts — these problems expose deep vulnerabilities in the country's financial security system.

According to experts, if there is no immediate action taken to correct the unchecked proliferation of these accounts, public trust could be undermined in banking institutions, and cybercriminals might be encouraged to scale up their operations even further if it continues unchecked. In their opinion, the challenge is not simply to dismantle broker networks, but also to strengthen compliance mechanisms, improve accountability in account opening processes, and make sure that regulatory vigilance is as sophisticated as the emerging financial crimes that are taking place.

With the rapid increase in digital transactions, the importance of safeguarding banks' channels has only increased. If we don't take decisive action, the black market for bank accounts will be a permanent parallel system, which will threaten the economy and the lives of ordinary citizens who will unwittingly end up entangled in criminal networks, threatening both economic stability and security.

Microsoft Flaw Blamed as Hackers Breach Canada’s House of Commons



 

Microsoft vulnerability

CBC CVSS CyberCrime Cyberhacks Data Breach Hackers Hackers Breach Microsoft Flaw Microsoft vulnerability

Microsoft Flaw Blamed as Hackers Breach Canada’s House of Commons

In a recent security incident involving Canada's parliamentary network, hackers exploited a recently released Microsoft vulnerability to breach the House of Commons network, shaking up the country's parliament.

According to an internal e-mail obtained by CBC News, the intrusion occurred on Friday and affected a database that was used to manage computers and mobile devices. The data revealed in the email included names, titles, email addresses, and details about computers and mobile devices, including operating systems, model numbers, and telephone numbers.

Officials have not been able to link the attack with any nation-state or criminal group, but questions remain as to whether additional sensitive information has been accessed. According to a statement from Olivier Duhaime, spokesperson for the Speaker's Office, the House of Commons is cooperating closely with its national security partners to conduct an investigation. However, he declined to provide further information due to security concerns.

An unauthorised actor gained access to the House's systems, which was first reported by CBC News on Monday, leading to the public discovery of the breach. According to an internal email of the intruders, they exploited a recent Microsoft vulnerability in order to gain access to parliamentary computers and mobile devices.

There was a lot of information exposed, including employee names, job titles, office locations, e-mail addresses, as well as technical information about devices controlled by the House. A cybersecurity agency such as Canada's Communications Security Establishment (CSE) has joined the investigation, although no one knows who the attackers are.

According to the CSE, a threat actor is defined as any entity seeking to disrupt or access a network without authorisation. In a recent report, the agency warned that foreign nations like China, Russia, and Iran are increasingly targeting Canadian institutions, despite this fact. Nevertheless, no attribution has been established in this case, and officials have cautioned against using the compromised information for scams, impersonation, or further invasions.

According to Canada's latest Cyber Threat Assessment, the country faces an ever-increasing exposure to digital threats, and it is described as a "valuable target" for both state-sponsored adversaries and criminals who are financially motivated to do so. In the last two years, the Canadian Centre for Cyber Security has reported a significant increase in the number and severity of cyber-attacks, with a warning that state actors are increasingly aggressive.

It has also been noted that cybercriminals are increasingly using illicit business models and artificial intelligence to expand their capabilities, according to Rajiv Gupta, head of the centre. Chinese cyber threats pose the greatest threat to Canada, according to the report, and it indicates that at least 20 government networks were compromised by threat actors affiliated with the People's Republic of China over the past four years.

The House of Commons incident is likely to be linked to a recently exploited zero-day Microsoft SharePoint vulnerability, which is known as CVE-2025-53770, although officials have not confirmed which particular flaw was exploited. During the exploitation of untrusted data in on-premises SharePoint Server, a vulnerability that has a CVSS score of 9 was discovered, which could allow an attacker to remotely execute code.

The vulnerability has been reported by Viettel Cyber Security through Trend Micro’s Zero Day Initiative since July. Since then, the vulnerability has been actively exploited, which prompted Microsoft to issue a warning and recommend immediate measures to mitigate the problem while a full patch is being prepared. As a result of the breach of parliament, members and staff have been urged to stay vigilant against potential scams.

The incident occurs at a time when Canada is facing an escalation of cyber threats that are becoming increasingly sophisticated as both adversaries and financially motivated criminals are increasingly leveraging advanced tools and artificial intelligence in order to gain an edge over their adversaries. During the past four years, the federal government has confirmed at least 20 network compromises linked to Beijing, indicating that China is the most sophisticated and active threat actor.

There is an increasing pressure on Canada's critical infrastructure due to recent incidents like the hack on WestJet in June that disrupted both the airline's internal systems as well as its mobile application. Initially discovered in May, this vulnerability, which was confirmed to be actively exploited in late July, can allow the attacker to execute code remotely, allowing them to gain access to all SharePoint content, including sensitive configurations and internal file systems.

As Costis pointed out, many major organisations, including Google and the United States, have recently been breached as a result of vulnerabilities in Microsoft platforms like Exchange and SharePoint. Several ransomware groups, including Salt Typhoon and Warlock, have been reported to have exploited these vulnerabilities by targeting nearly 400 organisations worldwide as a result of these campaigns.

In addition, the United States Cybersecurity and Infrastructure Security Agency (CISA) has also warned about the vulnerability, known as the “ToolShell” vulnerability. It was warned earlier this month that the vulnerability could enable not only unauthenticated access to systems, but also authenticated access to them through the use of network spoofing. This type of exploit could allow attackers to take complete control of SharePoint environments, including file systems and internal configurations.

A Mandiant CEO, Charles Carmakal, emphasised on LinkedIn that it is not just about applying Microsoft's security patch, but about taking steps to mitigate this risk along with implementing Mitigation strategies, in addition to applying Microsoft's security patch. It was reported by Microsoft in a July blog post that nation-state actors based in China have been actively trying to exploit the vulnerability, including Linen Typhoon, Violet Typhoon, and possibly Storm-2603, among others.

The group has historically targeted the intellectual property of governments, the defence sector, the human rights industry, strategic planning, higher education, as well as the media, finance, and health sectors throughout North America, Europe, and Asia. It has been reported that Linen Typhoon is known for its "drive-by compromises" that exploit existing vulnerabilities, whereas Violet Typhoon constantly scans exposed web infrastructure to find weaknesses, according to Microsoft.

The House of Commons breach echoes a growing trend of security concerns linked to enterprise technologies that have been widely deployed in the past few years. As a result, government and corporate systems have become increasingly fragile. Because Microsoft platforms are omnipresent, security analysts argue that they provide adversaries with a high-value entry point that can have far-reaching consequences when exploited by adversaries.

The incident highlights how, not only is it difficult to safeguard sensitive parliamentary data, but also to deal with systemic risks that cross critical sectors such as aviation, healthcare, finance, and higher education when they are exploited. There is an argument to be made that in order to achieve this goal, it will require not only timely patches and mitigations, but a cultural shift as well—one that integrates intelligence sharing, proactive threat hunting, and ongoing investments in cyber defence—along with the ongoing use of cyber defence technologies.

Even though global threat actors are growing in strength and opportunity, the incident serves as a reminder that it is vital that national institutions are protected with vigilance that matches the sophistication and scale of their adversaries.

Black Hat 25 Reveals What Keeps Cyber Experts Awake



 

Reporters

Black Hut Cyber Attacks Cyber Hackers CyberCrime Cybersecurity CyberThreat Reporters

Black Hat 25 Reveals What Keeps Cyber Experts Awake

In an era where cyber threats are becoming increasingly complex, Black Hat USA 2025 sounded alarms ringing with a sense of urgency that were unmistakable in the way they were sounded. As Nicole Perlroth, formerly a New York Times reporter, and now a founding partner at Silver Buckshot Ventures, made her presentation to a global security audience, she warned that cyber threats are evolving faster than the defenses that are designed to contain them, are failing.

It was discussed in the presentation how malware has moved from a loud disruption to a stealthy, autonomous persistence, and ransomware has now mimicked legitimate commerce by mimicking subscription-based models that have industrialized extortion.

Perlroth warned us that artificial intelligence, as well as supercharging attacks, is also corroding trust through distortions that are eroding trust. She argued that the consequences go beyond the corporate networks, and that democratic institutions, critical infrastructure, and public discourse are all directly in the crossfire of a new digital war.

During the past few years, artificial intelligence has emerged as both a powerful shield and a formidable weapon for cybersecurity, transforming attacks in both speed and scale while challenging traditional defenses simultaneously. According to experts at Black Hat, despite the rise of artificial intelligence, the industry is still grappling with longstanding security issues including application security, vulnerability management, and data protection, issues which remain unresolved despite decades of effort.

In a keynote address at the event, Paul Wheatman noted that, alongside these persistent challenges, artificial intelligence is bringing about a new set of opportunities and threats that have never existed before. The use of artificial intelligence is accelerating defense by enabling quicker, smarter threat detection, reducing false positives, and allowing security teams to prioritize strategy over triage, among other things.

In contrast, it is empowering adversaries with a wide range of tools, including automation of vulnerability discovery, persuasive phishing lures, and evasive malware, which lowers the barriers for attackers, even those who are not very experienced. Although technology vendors are quick to highlight the benefits of artificial intelligence, Wheatman noted that they are far less likely to address the risks of the technology.

According to him, artificial intelligence is simultaneously the greatest asset of cybersecurity as well as the greatest threat, which is why the technology is both its greatest asset and its greatest threat in 2025. It has been reported that 13% of organizations have already experienced security incidents linked to artificial intelligence models or applications, and 97% of them occurred in environments which had no proper access controls in place.

This is particularly true of the fact that the use of generative AI has allowed attackers to create phishing schemes and social engineering schemes faster and more convincing than they were once able to, eroding the barriers that once separated skilled adversaries from opportunistic criminals. There is a race on the defensive side of organizations, where they are rewriting policies, retraining their staffs, and overhauling incident response frameworks in order to keep up with an adversary that is no longer only dependent on human creativity.

In the opinion of Ken Phelan, chief technology officer at Gotham Technology Group in New York City, this rapid acceleration is more than simply a software problem, but also a fundamental infrastructure problem, which requires a rethinking of the very systems that support digital security.

In addition to the increasing complexity of the cybersecurity landscape, Black Hat USA also underscored how artificial intelligence is now used as a tool as well as a shield, and the cloud is now becoming the new arena on which battles are being fought.

This year's keynote sessions focused on how automation and artificial intelligence are amplifying the scale of malicious activity, which has turned malware from an inconvenience in the past into an advanced threat weapon used by financially motivated, organized threat actors. In today's world, the stakes for defenders are high as attacks are no longer solely targeted at code, but also people, institutions, and even society.

CISOs face both a tremendous challenge and an opportunity to showcase the strategic value of their work and investments as a result of this volatility, which is both an enormous challenge and an opportunity. Even so, the role of the CISO has also grown more challenging as it is becoming increasingly necessary to bring order to a chaotic and noisy environment. It has been well known for the past five years that more tools do not always result in stronger defences.

This is why vendors are now proving that their products are actually measurable, rather than positioning themselves as optional add-ons. A shift in cybersecurity posture was also highlighted at the conference, with experts stressing the importance of moving from a reactive to a proactive posture. At an executive panel organised by Dataminr, panellists shared how AI-powered platforms, like the Dataminr Pulse for Cyber Risk, are making it possible for teams to analyse huge amounts of data at machine speed, prioritise threats more effectively, and maximise existing resources using big data.

Without these approaches, there will remain a widening gap between increasingly agile threat actors and under-resourced defenders. A number of discussions at Black Hat USA 2025 made it impossible to ignore the fact that cybersecurity is no longer a siloed technical issue, but rather a societal imperative requiring agility, foresight, and collaboration at the global level.

There is no doubt that artificial intelligence, automation, and cloud technologies are transforming both the threat landscape as well as organisations' defensive capabilities, but the real challenge for companies lies in adapting strategy at the same speed as adversaries are adapting tactics. According to experts, tool investments are not a replacement for investments in people, processes, and governance.

Leadership and cultural readiness are as important as technology in ensuring resilience, they stressed. Cybersecurity risks are now becoming increasingly intertwined with geopolitical tensions, supply chain instability, and the erosion of digital trust, proving that the stakes go far beyond the value of corporate assets.

The message was clear to many attendees: cybersecurity leaders are being challenged not only to protect networks, but also to safeguard institutions, economies, and the integrity of public discourse itself in addition to protecting networks. This challenge is not only a daunting one, but also a great opportunity for the profession to take on a historic role in shaping the future of digital security, when the lines between defence strategy and survival have all but vanished in an era where the lines between defence, strategy, and survival are almost nonexistent.

Pro-Russian Hackers Breach Norwegian Dam Systems



 

PST

CyberCrime Cyberhakers CyberThreat Data Breach Frauds Norwegian Authority Pro-Russian PST

Pro-Russian Hackers Breach Norwegian Dam Systems

The Norwegian authorities have confirmed, in a development that illustrates the escalation of cyber threats on Europe's critical infrastructure, that pro-Russian hackers sabotaged a dam in April, affecting water flow for a short period of time. A remote control system linked to the dam's valve was broken in by attackers, according to the Norwegian Police Security Service (PST), which opened it for four hours after a remote attacker infiltrated the system.

Officials say the incident was not dangerous to nearby communities, but it is part of a broader pattern of hostile cyber activity by Russia and its proxies since the invasion of Ukraine, according to officials. It has been reported that these intrusions are becoming increasingly used against Western nations as a means of spreading fear and unrest due to their increased involvement in cyber warfare.

More than 70 incidents across Europe, ranging from cyberattacks, vandalism, arson, and attempted assassinations, have been documented by the Associated Press, which Western intelligence services have condemned as “reckless” and warned that these incidents are becoming increasingly violent. As of April 7, Norwegian authorities are now formally linking such an event to Russia, making it the first time such an attack was linked to Russia formally.

During the intrusion, hackers gained control of a dam in Bremanger, western Norway, manipulating its systems to open a floodgate and release water at a rate of 500 litres per second. The operation continued for roughly four hours before being detected and halted. Officials confirmed that, while the surge did not pose an immediate danger to surrounding areas, the deliberate act underscored the growing vulnerability of essential infrastructure to state-linked cyber operations.

Various Norwegian security officials have expressed concern that these incidents are a reflection of Russia's hybrid warfare campaign against Western nations, as well as a broader strategy of hybrid warfare waged against them. It has been reported to VG that cyberattacks are on the rise, often not to cause immediate damage, but rather to demonstrate the attackers' capabilities. She cautioned Norway to be on the lookout for more attempts of this type in the future.

A Norwegian intelligence service head, Nils Andreas Stensnes, has also expressed concern about this issue, stating that Russia is considered the greatest threat to the country's security. This particular dam was targeted in April, and is situated about 150 kilometres north of Bergen; and it does not produce energy. According to local media reports, the breach may have been facilitated by a weak password, which allowed the hackers to manipulate the system.

There is a resemblance between the incident and a January 2024 cyberattack on a Texas water plant that was also linked to Kremlin-backed actors and resulted in an overflow as a result. As it stands, Bremanger's sabotage fits within a pattern that Western officials attribute to Russia as a source of disruptive activity across Europe.

Over 70 such incidents, including vandalism and arson as well as attempted assassinations, have been documented by the Associated Press, describing them as "reckless" since the Russian invasion of Ukraine in 2015. There is a growing concern among intelligence agencies that these operations are becoming increasingly violent as time goes by.

Hackers gained access to the dam's digital control system in April and managed to remotely increase water flow for approximately four hours without the threat of immediate danger to those around the dam. In the opinion of police attorney Terje Nedreb Michelsen, it appears that a three-minute video was circulated through Telegram of the control panel on the dam, which is emblazoned with the symbols of a pro-Russian cybercriminal group.

It is worth noting that similar footage has appeared on social media in the past, but Norwegian police believe this is the first time in history that a pro-Russian hacker has succeeded in compromising critical water infrastructure since 2022. In analysing the incident, analysts note that cyber conflict is evolving in a way that underscores the fact that critical infrastructure, even when not directly connected to national energy grids or defence systems, is becoming an increasingly symbolic target in geopolitical conflicts.

It is possible for hostile actors to disproportionately damage physical equipment by exploiting outdated security measures or inadequate access controls. It has been stated by experts that, as digital systems control water resources, transportation networks, and industrial facilities become more interconnected, the risk of coordinated multi-target attacks increases.

Norway's case also illustrates how small nations face challenges when it comes to deterring and responding to cyber attacks by state-backed adversaries with vast resources and operational reach, in addition to the challenges they face. In such environments, security strategists contend that to strengthen cybersecurity, not only must people upgrade technology, but they also need to work closely with intelligence agencies, private operators, and international allies to share threat intelligence and coordinate defensive measures to protect themselves from threats.

Although the Bremanger intrusion has been contained, it serves as a sober reminder that modern conflicts increasingly play out on the networks and control panels of civilian infrastructure and represent a frontline of conflict in the modern age.

Rising Underwater Mortgages Signal Strain in Florida and Texas Property Markets



 

Underwater Mortgage

ATTOM CyberCrime CyberThreat Florida ICE Mortgage Mortgage Industry Texas Underwater Mortgage

Rising Underwater Mortgages Signal Strain in Florida and Texas Property Markets

A growing number of American homebuyers are turning to adjustable-rate mortgages (ARMs) and temporary buydowns as a way of easing the initial repayment burden when they are faced with persistently high interest rates. This is a new report from ICE Mortgage Technology that indicates more than 8% of borrowers will be using these financing structures by 2025, which indicates that there is a growing reliance on tools designed to lower payments during the first years of a loan.

Even though these products have been popular among consumers as a way of navigating affordability challenges in a high-cost borrowing environment, the report cautions that they pose inherent risks, particularly since interest rate adjustments and buydown periods could significantly increase future repayment obligations if these products are not properly handled. According to the latest U.S. Home Equity & Underwater Report from ATTOM released in Q1 2025, homeowner equity across the country is not the same.

In the first quarter, 46.2% of mortgaged residential properties were categorised as equity-rich, which indicates that the total loan balance secured by those homes did not exceed half of the market value of those homes. It is estimated that the share of the market has fallen steadily since it peaked at 49.2 per cent in the second quarter of last year—disappearing from 47.7 per cent in the final quarter of 2024—but still stands at about twice what it was in early 2020.

The CEO of ATOM, Rob Barber, said that seasonal trends suggest the early-year dip is not uncommon. Historically, the first quarter marks the lowest point in equity-rich proportions before they rebound back to normal in the spring. Additionally, according to the report, there has been a modest increase in financial strain.

The share of properties with seriously underwater mortgages—where debt exceeds the value of the property by at least 25 per cent—has increased from 2.5 per cent in late 2024 to 2.8 per cent in the first quarter of 2025. In the past year, new research has indicated that negative equity is becoming more prevalent, especially among those who purchased their home during the height of the pandemic-driven housing boom, indicating that negative equity is becoming more prevalent in the area.

In spite of the modest increase in these cases nationwide, certain Sunbelt markets are experiencing much steeper rises. According to Intercontinental Exchange figures, Cape Coral, Florida, has the highest number of underwater mortgages, with 7.8% of homes, followed by Lakeland at 4.4 per cent, San Antonio at 4.3per centt, Austin at 4.2, and North Port at 3.8.

Analysts report that these markets, which have seen some of the fastest price growth in recent years, are now experiencing the sharpest hofusing market corrections in their history. According to the ICE Home Price Index, home prices have been growing at a slower rate as of early June than they have in years past, with nearly one-third of the largest U.S. housing markets experiencing price declines of at least one percentage point from recent highs.

Even though this cooling might theoretically ease affordability pressures, ICE warns that it may hurt the equity positions of recent buyers, especially those who obtained low-down-payment financing through the FHA or VA system. Based on the firm's data, one out of every four seriously delinquent loans would become negatively impacted if sold at distressed prices. It is already evident that certain markets are experiencing the impact of a declining economy.

For example, 27 per cent of mortgages originated in Cape Coral, Florida, in 2023 and 2024 are underwater, while 18 per cent of mortgages originated in Austin, Texas, are underwater. Andy Walden, who heads ICE's mortgage and housing market research, believes that borrowers with a limited amount of equity-especially those who just purchased a house recently-are the most likely to be affected by the drop in home prices.

A second source of stress was the return of federal student loan payments and collections in May, according to ICE. A study from ICE McDash and TransUnion revealed that almost 20 per cent of mortgage holders also have student loan debt, a figure which rises to almost 30 per cent for FHA borrowers.

It has been estimated that nearly three-quarters of all underwater loans in recent years are backed by government-backed products, which were widely used during the housing boom by first-time and moderate-income buyers. This represents the entire increase in mortgage delinquencies over the past year, according to ICE.

While negative equity is still a significant limitation for homeowners today because the lending environment is much stricter than it was before the 2008 housing crash, thereby reducing the likelihood of a foreclosure wave, negative equity still carries significant limitations on the market today. There is a possibility that it will lock owners in place, preventing them from selling or refinancing their homes, and while many will continue to make payments without immediate hardship, further price decreases or a weakening job market can only lead to increased financial difficulties.

According to Redfin economist Chen Zhao, by the end of the year, the national home price will drop about 1 peper suggesting that there may be a continued increase in underwater cases. A study from ICE McDash and TransUnion revealed that almost 20 per cent of mortgage holders also have student loan debt, a figure which rises to almost 30 per cent for FHA borrowers.

According to a study, students who have fallen behind on their student loans were four times more likely to fall behind on their mortgage payments, which emphasises the compounding effect student debt has on housing instability. The most vulnerable homeowners are those with mortgages with a low down payment, such as those with FHA and VA loans. It has been estimated that nearly three-quarters of all underwater loans in recent years are backed by government-backed products, which were widely used during the housing boom by first-time and moderate-income buyers. This represents the entire increase in mortgage delinquencies over the past year, according to ICE.

According to Redfin economist Chen Zhao, by the end of the year, the national home price will drop about 1 per cent, suggesting that there may be a continued increase in underwater cases. Although there are considerable equity cushions from pandemic gains and tighter lending standards, which might mitigate broader fallouts, the trend is still regarded as a warning rather than a full-blown crisis at this time. For buyers in vulnerable markets, equity and timing are critical factors to consider when buying.

It has been reported that market analysts are pointing out that there is a transitional housing environment rather than a free fall as a result of the prevailing mix of cooled home prices, changing mortgage structures, and concentrated pockets of negative equity. Several trends have been observed in Florida, Texas, and other high-growth regions, demonstrating how localised market dynamics can differ sharply from national averages. This was particularly evident in areas that experienced rapid appreciation during the pandemic.

According to experts, even though stronger lending standards and high levels of homeowner equity still contain systemic risk, the concentration of vulnerability among recent buyers and borrowers who have made low down payments deserves careful observation. When economic conditions worsen, the combination of mortgage performance, affordability concerns, and external financial pressures, such as student loan obligations, may create stress points in certain markets.

Policymakers, lenders, and prospective buyers alike can take solace from the current data on housing's cyclical nature, which serves to highlight both the cyclical nature of the housing market as well as the need to anticipate how affordability tools, equity positions, and market corrections will connect to each other in the months to come.

Pandora Admits Customer Data Compromised in Security Breach



 

Security Breach

Customer Data CyberCrime Cyberhackers Cybersecurity Data Breach Jewellery Pandora Security Breach

Pandora Admits Customer Data Compromised in Security Breach

A major player in the global fashion jewellery market for many years, Pandora has long been positioned as a dominant force in this field as the world's largest jewellery brand. However, the luxury retailer is now one of a growing number of companies that have been targeted by cybercriminals.

Pandora confirmed on August 5, 2025, that a cyberattack had been launched on the platform used to store customer data by a third party. A Forbes report indicates that the breach was caused by unauthorised access to basic personal information, including customer name and email address. As a result, no passwords, credit card numbers, or any other sensitive financial information were compromised, the company stressed.

In response to the incident, Pandora has taken steps to contain it, improved its security measures, and stated that at the present time, no evidence has been found that suggests that the stolen information has been leaked or misused. There is no doubt that supply chain dependencies can be a vulnerability for attackers due to the recent breach at Danish jewellery giant Pandora, as evidenced by this breach.

The incident, rather than being the result of a direct intrusion into Pandora's core infrastructure, has been traced back to a third-party vendor platform — a reminder of the vulnerability of external services, including customer relationship management tools and marketing automation systems, which can be used by hackers as gateways.

Using this tactic, cybercriminals were able to gain unauthorised access to customer data. Cybercriminals often employ this tactic to facilitate secondary crimes such as phishing, identity theft, and targeted scams. This incident is part of a broader industry challenge, with organisations increasingly outsourcing critical functions while ignoring the security risks associated with these outsourcing agreements.

However, Pandora has not revealed who the third-party platform is; however, it has confirmed that some of Pandora's customer information was accessed through it, so the company's core internal systems remained unaffected by the intrusion. According to the jewellery retailer, the intrusion has been swiftly contained, and additional security measures have been put in place in order to ensure that future attacks do not occur again.

According to the investigation, only the most common types of data - the names, dates, and email addresses of customers - were copied, and there was no compromise of passwords, identity documents or financial information. Several researchers have noted that cybercriminals have been orchestrating social engineering campaigns on behalf of companies and help desks for as long as January 2025, often to obtain Salesforce credentials or trick the staff into authorising malicious OAuth applications.

It is not the only issue that is concerning the retail sector, as Chanel, a French fashion and cosmetics giant, also confirmed earlier this month a cyberattack perpetrated by the ShinyHunter extortion group, reportedly targeting Salesforce applications on August 1 through a social media-based intrusion, causing a significant amount of disruption in the industry.

In the last year, the UK retail sector has been experiencing challenges as a result of cyberattacks that have affected major brands such as M&S, Harrods, and The Co-op. This latest incident comes at a time when the retail sector has been facing an increasing number of cyberattacks. A breach earlier this year resulting in the theft of customer data led M&S to declare a loss of around £300 million for its annual profit.

It has been noted that in recent years, retailers have become prime targets for sophisticated hackers due to the vast amounts of consumer information they collect for marketing purposes and the outdated security infrastructure they use. Many retailers have underinvested in cybersecurity resilience in their pursuit of speed, scale, and convenience, which is something well-organised threat actors, such as Scattered Spider, are exploiting by taking advantage of this gap.

Cybersecurity expert Christoph Cemper advised Pandora customers to remain vigilant against potential phishing emails, warning that such attacks can lead to the theft of sensitive information or financial losses if recipients click malicious links or download harmful attachments. Pandora reaffirmed its commitment to data protection, stating, Cemper, however, emphasised that retailers must adopt more proactive measures to safeguard customer information.

Despite this incident, Pandora stressed the importance of not compromising passwords, payment information, or other sensitive details of customers. Specifically, the incident only involved “very common types of customer data”, including names and e-mail addresses, with no compromises to passwords, payment information, or other sensitive information.

As a result of its investigation, the company stated that no evidence of misuse of the stolen data was found, but it advised customers to remain vigilant, especially in situations where they receive unsolicited emails or ask for personal information online. In its warning to customers, Pandora advised them not to click on unfamiliar links or download attachments from unverified sources.

Pandora did not specify who was responsible for the intrusion, how the hack was executed, or how many people had been affected. Nonetheless, security researchers have been able to link the incident to the ShinyHunters group, which is said to have targeted corporate Salesforce databases with various social engineering and phishing techniques since January 2025.

Several of the members of this group claim that they will "perform a mass sale or leak" of data from companies unwilling to comply with ransom demands. As far as Salesforce is concerned, the company has not been compromised. Its statement attributed these breaches instead to sophisticated phishing attacks and social engineering attacks that have become increasingly sophisticated over the years, reiterating that customers are responsible for safeguarding their data on their own.

Today's interconnected retail environment serves as a reminder that cyber risks are no longer confined to a company's own network perimeter but are now a part of a company's wider digital footprint. It has become increasingly apparent that the lines between internal and external security responsibilities are blurring in light of the increasing use of vulnerability in third-party platforms, social engineering tactics, and overlooked digital entry points.

The stakes for global brands are not limited to immediate disruption to operations. In addition to consumer trust, brand reputation, and regulatory scrutiny, cybersecurity experts agree that a holistic approach is now needed in order to mitigate cyberattacks. In addition to rigorous vendor risk assessments, continuous employee training, advanced threat detection, and resilient incident response frameworks, these strategies are all important.

In an industry like luxury retail that is vulnerable to cyberattacks, Pandora's experience demonstrates what is becoming an increasingly common industry imperative: proactive defences are becoming not just an option but an essential tool for safeguarding the online relationships of customers and protecting their digital assets.

Ingram Micro Faces Alleged Breach by SafePay with Ransom Threat



 

SafePlay

Cyberbreach CyberCrime CyberThreat Data Breach Ingram Ingram Micro Ransom Threat Ransomware SafePlay

Ingram Micro Faces Alleged Breach by SafePay with Ransom Threat

As Ingram Micro is dealing with a widespread outage in its global technology distribution operations that appears to be directly linked to a ransomware attack by the cybercrime group SafePay, the company appears to be experiencing a significant disruption. The company has shut down internal systems due to the incident, which has affected the company's website and online ordering platform since Thursday, according to information obtained by BleepingComputer.

Despite the fact that Ingram Micro is a major business-to-business technology distributor and service provider that offers hardware, software, cloud solutions, logistics, and training to resellers and managed service providers across the world, it has not yet been publicly confirmed what caused the disruption. According to a ransomware group known as SafePay, the group has issued an ultimatum to Ingram Micro, warning that it will publish 3.5 terabytes of allegedly stolen data unless they are paid a ransom by August 1st.

Several prominent warning signs, along with a countdown clock, are prominently displayed on the leak site of the group, increasing the pressure on the California-based technology distributor to enter into negotiations with the group. During an ongoing investigation, Ingram Micro informed the public on 5 July of a ransomware attack, which resulted in certain internal systems being shut down as a precaution.

SafePay did not confirm at that time that any data exfiltration occurred, but now, following the breach, the company claims responsibility and asserts that it has obtained a significant volume of sensitive corporate information. A security researcher has found code similarities to the LockBit ransomware family, suggesting a potential rebrand or offshoot. SafePay started causing threats in late 2024 to at least twenty organisations across different industries.

With the group operating under a double-extortion model, not only do they encrypt compromised systems, but they also threaten victims with leaking their data should they refuse to pay the ransom. In the course of investigating the incident, it has been determined that SafePay was responsible for orchestrating the attack, a comparatively new type of ransomware which emerged between September and November 2024.

Ingram Micro had not attributed the attack to any specific threat actor. However, BleepingComputer has now discovered a link between the breach and the group that employs the double-extortion model, in which data is stolen and encrypted using system encryption, as well as claiming to have compromised more than 200 companies across a wide range of fields, including manufacturing, healthcare, and education.

There has been some speculation that SafePay exploited vulnerabilities in the GlobalProtect VPN platform to gain access to the company and left ransom notes on the company's employee devices. As a result of the attack, Ingram Micro's AI-driven Xvantage distribution system, as well as its Impulse license provisioning platform, both critical components of the organisation's global operations, were reportedly affected by the hack.

According to Ingram Micro's announcement on July 5, a number of internal systems had been identified as infected with malicious software, following a ransomware attack. An immediate precautionary measure was taken by the company to secure its environment, including proactively taking down systems and implementing mitigation measures, and the company announced the following week that global operations were fully back to normal.

There has been no mention of the stolen data, ransom demands, or who was responsible on the company's official incident update page or in its 8-K filing to the Securities and Exchange Commission, as of 7 July. Although the company has continued to acknowledge that it is actively investigating the scope of the incident and the nature of any data affected, it has opted not to comment further on it.

Interestingly, however, the ransomware group SafePay—which claims responsibility for the intrusion—is more forthright, claiming that it has infected 3.5 terabytes of sensitive data and has set the public release deadline of 1 August 2025 if a ransom is not paid. Consequently, a countdown clock is displayed on their leak site stating that if the ransom is not paid, it will release the data publicly.

As an intermediary in the supply chain for major technology vendors, Ingram Micro is the largest reseller and enterprise network in the world, servicing over 160,000 resellers and enterprise customers worldwide. There is a growing concern among security specialists that the exposure of partner agreements, customer records, and proprietary product information may have a far-reaching impact across the technology channel.

From enabling targeted phishing attacks to eroding competitive advantages, the risks are extensive across the technology channel. According to industry consultants, organisations should take steps to strengthen access controls, enforce multifactor authentication, monitor for emerging vulnerabilities, and limit remote access to secured VPNs to prevent such threats.

While Ingram Micro is still investigating the SafePay leak, the persistent countdown clock on the leak site indicates that no agreement has been reached, which makes it more likely for full disclosure of data to occur. If the claimed dataset is made available, vendors, resellers, and end users might have to reset their credentials on a large scale, prepare for targeted scams, and comply with any potential regulatory reporting requirements.

Security researchers are then expected to examine these files for potential indicators of compromise and tactical insights that could mitigate similar attacks in the future, as well as the likelihood of these attacks occurring again. It was in a brief announcement published by Ingram Micro on a Sunday morning that they had been victimised by ransomware attacks, stating that malicious software was detected on several internal systems.

During the investigation, the company reported that it took immediate steps to secure its environment, including the initiation of a proactive shutdown of the affected systems, the implementation of additional mitigation measures, the launch of an investigation with the assistance of leading cybersecurity experts, and the notification of authorities.

Despite the inconvenience caused by Ingram Micro, the company has expressed its sincere apologies to customers, vendors, and partners, as well as a commitment to restoring affected systems so normal order processing and shipping can resume. Palo Alto Networks responded to reports suggesting that attackers had gained access via Ingram Micro's GlobalProtect VPN gateway on 7 Julyemphasisingng that the company was investigating the claims and emphasising that threat actors regularly infiltrate VPNs by using stolen credentials or misconfigured networks.

It was reported that Ingram Micro had made great progress toward restoring transactional operations by 8 July. Subscription orders, renewals, and modifications had been processed globally again through its central support organisation, and customers across multiple countries, including the UK, Germany, France, Italy, Spain, Brazil, India, China, Portugal, and the Nordic countries, were accepting phone or email orders.

There are still some restrictions that apply to hardware and technology orders. Sources also indicate that VPN access has been restored in certain regions. Palo Alto Networks later confirmed that none of the company's products were exploited or compromised by the breach. In spite og only operating for about a year, SafePay has established a substantial footprint in the cybercrime landscape, displaying 265 victims on the dark web leak site it has operated for.

Having been identified in September 2024, this group is believed to have previously deployed LockBit ransomware, though it is unclear whether it is related to LockBit. The SafePay ransomware company claims it is different from many contemporary ransomware operations because it does not utilise affiliates to breach networks as a ransomware-as-a-service model.

A report by Emsisoft’s Brett Callow indicates that this strategy, along with the preference for a low public profile of the group, may be the group’s attempt to avoid the intense scrutiny that law enforcement authorities have been paying for actions taken against other high-profile gangs in recent months. Among the most active ransomware actors worldwide, SafePay is ranked fourth behind Qilin, Akira, and Play in NCC Group's second quarter 2025 report.

It has been estimated that this group is responsible for 70 attacks in May 2025 alone, which makes them the most active ransomware operators in the entire month. Ingram Micro and its global network of partners were impacted by the SafePay attack that led to a cascade of operational, financial and reputational consequences. It was reported that technology resellers, managed service providers, and vendors worldwide were unable to conduct transactions due to the downtime of digital commerce platforms, order processing systems, and cloud license provisioning systems.

As a result of the disruption, hardware and cloud shipments slowed, and downstream partners sought alternate distribution channelsemphasisingng the central role large distributors play in supplying IT products. In the wake of the outage, industry analysts estimate that SafePay has lost up to $136 million in revenue per day, according to industry analysts. SafePay claims to have exfiltrated 3.5 terabytes of sensitive data, including financial, legal, and intellectual property. If its ransom demands are not met, it threatens public release.

The prolonged downtime, along with limited communication from the company, caused criticism from both customers and industry observers. Experts believe that the incident underscores the vulnerable nature of VPNs and identity management systems, especially where multi-factor authentication is lacking, password security is not enforced, and timely patches aren't applied promptly.

The report also reflects the increasing use of double-extortion tactics, which combine system encryption with the threat of sensitive data leaks to achieve double extortion. Thus, organisations must prepare not only for the restoration of services, but also for possible repercussions in terms of privacy and legality. Although Ingram Micro had restored global services on 30 July 2025, it remains under continuous extortion threat, and the company is still undergoing an extensive forensic investigation.

As a result of the Ingram Micro incident, ransomware operations have become increasingly sophisticated and persistent, where a technical compromise is just the beginning of a broader campaign of intimidation and leverage. The tactics employed by SafePay—combining the operational paralysis of core systems with the looming threat of massive data loss—illustrate how modern cyberattacks are built to exert sustained pressure on victims for quite some time after initial containment measures have been completed.

It has served as a reminder for global supply chain operators that security perimeters must extend far beyond traditional network defenses, including identity verification, remote access governance, and proactive vulnerability management, in addition to traditional network defenses. In light of the interconnected nature of modern information technology ecosystems, it is evident that disruptions can cause shockwaves across multiple industries and markets if a single node is disrupted.

Several experts have noted that in the wake of high-profile supply chain breaches, threat actors are likely to be more focused on distributors and service aggregators, since they have extensive vendor and customer relationships, which have the potential to increase the impact of financial gains and reputational harm. It is also likely that regulatory bodies will examine these incidents with greater care, particularly where they involve the disclosure of sensitive partner information or customer information, which can result in broader compliance obligations as well as legal liabilities.

Taking Ingram Micro to the next level will require not only the resolution of immediate security and operational issues, but also the rebuilding of trust with the vast network of customers and partners the company has cultivated.

To reduce the long-term repercussions of the incident, it is crucial to be transparent in communications following the incident, to demonstrate security enhancements, and to collaborate with the industry to share intelligence on emerging threats. In the course of the investigation, it is likely to become an important reference point for cybersecurity strategy debates, as well as in shaping future policy aimed at protecting global supply chains against cybersecurity threats.

Search This Blog

Sections

Popular Posts

Blog Archive

Labels

Report Abuse

About Me

Footer About

Labels

Showing result(s) for

Popular Posts

Pages

Millions of Patient Records Compromised After Ransomware Strike on DaVita

Healthcare Faces Growing Cyber Threats

Healthcare Becomes A Cyber Battlefield

Expansion of the Investigation

Data Theft And Interlock’s Role

The Road Ahead For Healthcare Security

Cybercriminals Steal Thousands of Guest ID Documents from Italian Hotels

Hotels and Guests Caught Off Guard

The Scale of the Breach

A Familiar Target for Cybercriminals

How the Data Can Be Abused

Industry Response and Urgency

A Warning for the Global Hospitality Industry

Scammers Can Pinpoint Your Exact Location With a Single Click Warns Hacker

Brokers Fuel Underground Market for Bank Accounts in India

Microsoft Flaw Blamed as Hackers Breach Canada’s House of Commons

Black Hat 25 Reveals What Keeps Cyber Experts Awake

Pro-Russian Hackers Breach Norwegian Dam Systems

Rising Underwater Mortgages Signal Strain in Florida and Texas Property Markets

Pandora Admits Customer Data Compromised in Security Breach

Ingram Micro Faces Alleged Breach by SafePay with Ransom Threat

Footer About

Search This Blog

Sections

Popular Posts

Blog Archive

Labels

About Me

Footer About

Labels

Showing result(s) for

Popular Posts

Pages

Menu Item

Healthcare Faces Growing Cyber Threats

Healthcare Becomes A Cyber Battlefield

Expansion of the Investigation

Data Theft And Interlock’s Role

The Road Ahead For Healthcare Security

Hotels and Guests Caught Off Guard

The Scale of the Breach

A Familiar Target for Cybercriminals

How the Data Can Be Abused

Industry Response and Urgency

A Warning for the Global Hospitality Industry