CySecurity News - Latest Information Security and Hacking Incidents: CyberCrime

CBC CVSS CyberCrime Cyberhacks Data Breach Hackers Hackers Breach Microsoft Flaw Microsoft vulnerability

Microsoft Flaw Blamed as Hackers Breach Canada’s House of Commons

In a recent security incident involving Canada's parliamentary network, hackers exploited a recently released Microsoft vulnerability to breach the House of Commons network, shaking up the country's parliament.

According to an internal e-mail obtained by CBC News, the intrusion occurred on Friday and affected a database that was used to manage computers and mobile devices. The data revealed in the email included names, titles, email addresses, and details about computers and mobile devices, including operating systems, model numbers, and telephone numbers.

Officials have not been able to link the attack with any nation-state or criminal group, but questions remain as to whether additional sensitive information has been accessed. According to a statement from Olivier Duhaime, spokesperson for the Speaker's Office, the House of Commons is cooperating closely with its national security partners to conduct an investigation. However, he declined to provide further information due to security concerns.

An unauthorised actor gained access to the House's systems, which was first reported by CBC News on Monday, leading to the public discovery of the breach. According to an internal email of the intruders, they exploited a recent Microsoft vulnerability in order to gain access to parliamentary computers and mobile devices.

There was a lot of information exposed, including employee names, job titles, office locations, e-mail addresses, as well as technical information about devices controlled by the House. A cybersecurity agency such as Canada's Communications Security Establishment (CSE) has joined the investigation, although no one knows who the attackers are.

According to the CSE, a threat actor is defined as any entity seeking to disrupt or access a network without authorisation. In a recent report, the agency warned that foreign nations like China, Russia, and Iran are increasingly targeting Canadian institutions, despite this fact. Nevertheless, no attribution has been established in this case, and officials have cautioned against using the compromised information for scams, impersonation, or further invasions.

According to Canada's latest Cyber Threat Assessment, the country faces an ever-increasing exposure to digital threats, and it is described as a "valuable target" for both state-sponsored adversaries and criminals who are financially motivated to do so. In the last two years, the Canadian Centre for Cyber Security has reported a significant increase in the number and severity of cyber-attacks, with a warning that state actors are increasingly aggressive.

It has also been noted that cybercriminals are increasingly using illicit business models and artificial intelligence to expand their capabilities, according to Rajiv Gupta, head of the centre. Chinese cyber threats pose the greatest threat to Canada, according to the report, and it indicates that at least 20 government networks were compromised by threat actors affiliated with the People's Republic of China over the past four years.

The House of Commons incident is likely to be linked to a recently exploited zero-day Microsoft SharePoint vulnerability, which is known as CVE-2025-53770, although officials have not confirmed which particular flaw was exploited. During the exploitation of untrusted data in on-premises SharePoint Server, a vulnerability that has a CVSS score of 9 was discovered, which could allow an attacker to remotely execute code.

The vulnerability has been reported by Viettel Cyber Security through Trend Micro’s Zero Day Initiative since July. Since then, the vulnerability has been actively exploited, which prompted Microsoft to issue a warning and recommend immediate measures to mitigate the problem while a full patch is being prepared. As a result of the breach of parliament, members and staff have been urged to stay vigilant against potential scams.

The incident occurs at a time when Canada is facing an escalation of cyber threats that are becoming increasingly sophisticated as both adversaries and financially motivated criminals are increasingly leveraging advanced tools and artificial intelligence in order to gain an edge over their adversaries. During the past four years, the federal government has confirmed at least 20 network compromises linked to Beijing, indicating that China is the most sophisticated and active threat actor.

There is an increasing pressure on Canada's critical infrastructure due to recent incidents like the hack on WestJet in June that disrupted both the airline's internal systems as well as its mobile application. Initially discovered in May, this vulnerability, which was confirmed to be actively exploited in late July, can allow the attacker to execute code remotely, allowing them to gain access to all SharePoint content, including sensitive configurations and internal file systems.

As Costis pointed out, many major organisations, including Google and the United States, have recently been breached as a result of vulnerabilities in Microsoft platforms like Exchange and SharePoint. Several ransomware groups, including Salt Typhoon and Warlock, have been reported to have exploited these vulnerabilities by targeting nearly 400 organisations worldwide as a result of these campaigns.

In addition, the United States Cybersecurity and Infrastructure Security Agency (CISA) has also warned about the vulnerability, known as the “ToolShell” vulnerability. It was warned earlier this month that the vulnerability could enable not only unauthenticated access to systems, but also authenticated access to them through the use of network spoofing. This type of exploit could allow attackers to take complete control of SharePoint environments, including file systems and internal configurations.

A Mandiant CEO, Charles Carmakal, emphasised on LinkedIn that it is not just about applying Microsoft's security patch, but about taking steps to mitigate this risk along with implementing Mitigation strategies, in addition to applying Microsoft's security patch. It was reported by Microsoft in a July blog post that nation-state actors based in China have been actively trying to exploit the vulnerability, including Linen Typhoon, Violet Typhoon, and possibly Storm-2603, among others.

The group has historically targeted the intellectual property of governments, the defence sector, the human rights industry, strategic planning, higher education, as well as the media, finance, and health sectors throughout North America, Europe, and Asia. It has been reported that Linen Typhoon is known for its "drive-by compromises" that exploit existing vulnerabilities, whereas Violet Typhoon constantly scans exposed web infrastructure to find weaknesses, according to Microsoft.

The House of Commons breach echoes a growing trend of security concerns linked to enterprise technologies that have been widely deployed in the past few years. As a result, government and corporate systems have become increasingly fragile. Because Microsoft platforms are omnipresent, security analysts argue that they provide adversaries with a high-value entry point that can have far-reaching consequences when exploited by adversaries.

The incident highlights how, not only is it difficult to safeguard sensitive parliamentary data, but also to deal with systemic risks that cross critical sectors such as aviation, healthcare, finance, and higher education when they are exploited. There is an argument to be made that in order to achieve this goal, it will require not only timely patches and mitigations, but a cultural shift as well—one that integrates intelligence sharing, proactive threat hunting, and ongoing investments in cyber defence—along with the ongoing use of cyber defence technologies.

Even though global threat actors are growing in strength and opportunity, the incident serves as a reminder that it is vital that national institutions are protected with vigilance that matches the sophistication and scale of their adversaries.

Black Hat 25 Reveals What Keeps Cyber Experts Awake



 

Reporters

Black Hut Cyber Attacks Cyber Hackers CyberCrime Cybersecurity CyberThreat Reporters

Black Hat 25 Reveals What Keeps Cyber Experts Awake

In an era where cyber threats are becoming increasingly complex, Black Hat USA 2025 sounded alarms ringing with a sense of urgency that were unmistakable in the way they were sounded. As Nicole Perlroth, formerly a New York Times reporter, and now a founding partner at Silver Buckshot Ventures, made her presentation to a global security audience, she warned that cyber threats are evolving faster than the defenses that are designed to contain them, are failing.

It was discussed in the presentation how malware has moved from a loud disruption to a stealthy, autonomous persistence, and ransomware has now mimicked legitimate commerce by mimicking subscription-based models that have industrialized extortion.

Perlroth warned us that artificial intelligence, as well as supercharging attacks, is also corroding trust through distortions that are eroding trust. She argued that the consequences go beyond the corporate networks, and that democratic institutions, critical infrastructure, and public discourse are all directly in the crossfire of a new digital war.

During the past few years, artificial intelligence has emerged as both a powerful shield and a formidable weapon for cybersecurity, transforming attacks in both speed and scale while challenging traditional defenses simultaneously. According to experts at Black Hat, despite the rise of artificial intelligence, the industry is still grappling with longstanding security issues including application security, vulnerability management, and data protection, issues which remain unresolved despite decades of effort.

In a keynote address at the event, Paul Wheatman noted that, alongside these persistent challenges, artificial intelligence is bringing about a new set of opportunities and threats that have never existed before. The use of artificial intelligence is accelerating defense by enabling quicker, smarter threat detection, reducing false positives, and allowing security teams to prioritize strategy over triage, among other things.

In contrast, it is empowering adversaries with a wide range of tools, including automation of vulnerability discovery, persuasive phishing lures, and evasive malware, which lowers the barriers for attackers, even those who are not very experienced. Although technology vendors are quick to highlight the benefits of artificial intelligence, Wheatman noted that they are far less likely to address the risks of the technology.

According to him, artificial intelligence is simultaneously the greatest asset of cybersecurity as well as the greatest threat, which is why the technology is both its greatest asset and its greatest threat in 2025. It has been reported that 13% of organizations have already experienced security incidents linked to artificial intelligence models or applications, and 97% of them occurred in environments which had no proper access controls in place.

This is particularly true of the fact that the use of generative AI has allowed attackers to create phishing schemes and social engineering schemes faster and more convincing than they were once able to, eroding the barriers that once separated skilled adversaries from opportunistic criminals. There is a race on the defensive side of organizations, where they are rewriting policies, retraining their staffs, and overhauling incident response frameworks in order to keep up with an adversary that is no longer only dependent on human creativity.

In the opinion of Ken Phelan, chief technology officer at Gotham Technology Group in New York City, this rapid acceleration is more than simply a software problem, but also a fundamental infrastructure problem, which requires a rethinking of the very systems that support digital security.

In addition to the increasing complexity of the cybersecurity landscape, Black Hat USA also underscored how artificial intelligence is now used as a tool as well as a shield, and the cloud is now becoming the new arena on which battles are being fought.

This year's keynote sessions focused on how automation and artificial intelligence are amplifying the scale of malicious activity, which has turned malware from an inconvenience in the past into an advanced threat weapon used by financially motivated, organized threat actors. In today's world, the stakes for defenders are high as attacks are no longer solely targeted at code, but also people, institutions, and even society.

CISOs face both a tremendous challenge and an opportunity to showcase the strategic value of their work and investments as a result of this volatility, which is both an enormous challenge and an opportunity. Even so, the role of the CISO has also grown more challenging as it is becoming increasingly necessary to bring order to a chaotic and noisy environment. It has been well known for the past five years that more tools do not always result in stronger defences.

This is why vendors are now proving that their products are actually measurable, rather than positioning themselves as optional add-ons. A shift in cybersecurity posture was also highlighted at the conference, with experts stressing the importance of moving from a reactive to a proactive posture. At an executive panel organised by Dataminr, panellists shared how AI-powered platforms, like the Dataminr Pulse for Cyber Risk, are making it possible for teams to analyse huge amounts of data at machine speed, prioritise threats more effectively, and maximise existing resources using big data.

Without these approaches, there will remain a widening gap between increasingly agile threat actors and under-resourced defenders. A number of discussions at Black Hat USA 2025 made it impossible to ignore the fact that cybersecurity is no longer a siloed technical issue, but rather a societal imperative requiring agility, foresight, and collaboration at the global level.

There is no doubt that artificial intelligence, automation, and cloud technologies are transforming both the threat landscape as well as organisations' defensive capabilities, but the real challenge for companies lies in adapting strategy at the same speed as adversaries are adapting tactics. According to experts, tool investments are not a replacement for investments in people, processes, and governance.

Leadership and cultural readiness are as important as technology in ensuring resilience, they stressed. Cybersecurity risks are now becoming increasingly intertwined with geopolitical tensions, supply chain instability, and the erosion of digital trust, proving that the stakes go far beyond the value of corporate assets.

The message was clear to many attendees: cybersecurity leaders are being challenged not only to protect networks, but also to safeguard institutions, economies, and the integrity of public discourse itself in addition to protecting networks. This challenge is not only a daunting one, but also a great opportunity for the profession to take on a historic role in shaping the future of digital security, when the lines between defence strategy and survival have all but vanished in an era where the lines between defence, strategy, and survival are almost nonexistent.

Pro-Russian Hackers Breach Norwegian Dam Systems



 

PST

CyberCrime Cyberhakers CyberThreat Data Breach Frauds Norwegian Authority Pro-Russian PST

Pro-Russian Hackers Breach Norwegian Dam Systems

The Norwegian authorities have confirmed, in a development that illustrates the escalation of cyber threats on Europe's critical infrastructure, that pro-Russian hackers sabotaged a dam in April, affecting water flow for a short period of time. A remote control system linked to the dam's valve was broken in by attackers, according to the Norwegian Police Security Service (PST), which opened it for four hours after a remote attacker infiltrated the system.

Officials say the incident was not dangerous to nearby communities, but it is part of a broader pattern of hostile cyber activity by Russia and its proxies since the invasion of Ukraine, according to officials. It has been reported that these intrusions are becoming increasingly used against Western nations as a means of spreading fear and unrest due to their increased involvement in cyber warfare.

More than 70 incidents across Europe, ranging from cyberattacks, vandalism, arson, and attempted assassinations, have been documented by the Associated Press, which Western intelligence services have condemned as “reckless” and warned that these incidents are becoming increasingly violent. As of April 7, Norwegian authorities are now formally linking such an event to Russia, making it the first time such an attack was linked to Russia formally.

During the intrusion, hackers gained control of a dam in Bremanger, western Norway, manipulating its systems to open a floodgate and release water at a rate of 500 litres per second. The operation continued for roughly four hours before being detected and halted. Officials confirmed that, while the surge did not pose an immediate danger to surrounding areas, the deliberate act underscored the growing vulnerability of essential infrastructure to state-linked cyber operations.

Various Norwegian security officials have expressed concern that these incidents are a reflection of Russia's hybrid warfare campaign against Western nations, as well as a broader strategy of hybrid warfare waged against them. It has been reported to VG that cyberattacks are on the rise, often not to cause immediate damage, but rather to demonstrate the attackers' capabilities. She cautioned Norway to be on the lookout for more attempts of this type in the future.

A Norwegian intelligence service head, Nils Andreas Stensnes, has also expressed concern about this issue, stating that Russia is considered the greatest threat to the country's security. This particular dam was targeted in April, and is situated about 150 kilometres north of Bergen; and it does not produce energy. According to local media reports, the breach may have been facilitated by a weak password, which allowed the hackers to manipulate the system.

There is a resemblance between the incident and a January 2024 cyberattack on a Texas water plant that was also linked to Kremlin-backed actors and resulted in an overflow as a result. As it stands, Bremanger's sabotage fits within a pattern that Western officials attribute to Russia as a source of disruptive activity across Europe.

Over 70 such incidents, including vandalism and arson as well as attempted assassinations, have been documented by the Associated Press, describing them as "reckless" since the Russian invasion of Ukraine in 2015. There is a growing concern among intelligence agencies that these operations are becoming increasingly violent as time goes by.

Hackers gained access to the dam's digital control system in April and managed to remotely increase water flow for approximately four hours without the threat of immediate danger to those around the dam. In the opinion of police attorney Terje Nedreb Michelsen, it appears that a three-minute video was circulated through Telegram of the control panel on the dam, which is emblazoned with the symbols of a pro-Russian cybercriminal group.

It is worth noting that similar footage has appeared on social media in the past, but Norwegian police believe this is the first time in history that a pro-Russian hacker has succeeded in compromising critical water infrastructure since 2022. In analysing the incident, analysts note that cyber conflict is evolving in a way that underscores the fact that critical infrastructure, even when not directly connected to national energy grids or defence systems, is becoming an increasingly symbolic target in geopolitical conflicts.

It is possible for hostile actors to disproportionately damage physical equipment by exploiting outdated security measures or inadequate access controls. It has been stated by experts that, as digital systems control water resources, transportation networks, and industrial facilities become more interconnected, the risk of coordinated multi-target attacks increases.

Norway's case also illustrates how small nations face challenges when it comes to deterring and responding to cyber attacks by state-backed adversaries with vast resources and operational reach, in addition to the challenges they face. In such environments, security strategists contend that to strengthen cybersecurity, not only must people upgrade technology, but they also need to work closely with intelligence agencies, private operators, and international allies to share threat intelligence and coordinate defensive measures to protect themselves from threats.

Although the Bremanger intrusion has been contained, it serves as a sober reminder that modern conflicts increasingly play out on the networks and control panels of civilian infrastructure and represent a frontline of conflict in the modern age.

Rising Underwater Mortgages Signal Strain in Florida and Texas Property Markets



 

Underwater Mortgage

ATTOM CyberCrime CyberThreat Florida ICE Mortgage Mortgage Industry Texas Underwater Mortgage

Rising Underwater Mortgages Signal Strain in Florida and Texas Property Markets

A growing number of American homebuyers are turning to adjustable-rate mortgages (ARMs) and temporary buydowns as a way of easing the initial repayment burden when they are faced with persistently high interest rates. This is a new report from ICE Mortgage Technology that indicates more than 8% of borrowers will be using these financing structures by 2025, which indicates that there is a growing reliance on tools designed to lower payments during the first years of a loan.

Even though these products have been popular among consumers as a way of navigating affordability challenges in a high-cost borrowing environment, the report cautions that they pose inherent risks, particularly since interest rate adjustments and buydown periods could significantly increase future repayment obligations if these products are not properly handled. According to the latest U.S. Home Equity & Underwater Report from ATTOM released in Q1 2025, homeowner equity across the country is not the same.

In the first quarter, 46.2% of mortgaged residential properties were categorised as equity-rich, which indicates that the total loan balance secured by those homes did not exceed half of the market value of those homes. It is estimated that the share of the market has fallen steadily since it peaked at 49.2 per cent in the second quarter of last year—disappearing from 47.7 per cent in the final quarter of 2024—but still stands at about twice what it was in early 2020.

The CEO of ATOM, Rob Barber, said that seasonal trends suggest the early-year dip is not uncommon. Historically, the first quarter marks the lowest point in equity-rich proportions before they rebound back to normal in the spring. Additionally, according to the report, there has been a modest increase in financial strain.

The share of properties with seriously underwater mortgages—where debt exceeds the value of the property by at least 25 per cent—has increased from 2.5 per cent in late 2024 to 2.8 per cent in the first quarter of 2025. In the past year, new research has indicated that negative equity is becoming more prevalent, especially among those who purchased their home during the height of the pandemic-driven housing boom, indicating that negative equity is becoming more prevalent in the area.

In spite of the modest increase in these cases nationwide, certain Sunbelt markets are experiencing much steeper rises. According to Intercontinental Exchange figures, Cape Coral, Florida, has the highest number of underwater mortgages, with 7.8% of homes, followed by Lakeland at 4.4 per cent, San Antonio at 4.3per centt, Austin at 4.2, and North Port at 3.8.

Analysts report that these markets, which have seen some of the fastest price growth in recent years, are now experiencing the sharpest hofusing market corrections in their history. According to the ICE Home Price Index, home prices have been growing at a slower rate as of early June than they have in years past, with nearly one-third of the largest U.S. housing markets experiencing price declines of at least one percentage point from recent highs.

Even though this cooling might theoretically ease affordability pressures, ICE warns that it may hurt the equity positions of recent buyers, especially those who obtained low-down-payment financing through the FHA or VA system. Based on the firm's data, one out of every four seriously delinquent loans would become negatively impacted if sold at distressed prices. It is already evident that certain markets are experiencing the impact of a declining economy.

For example, 27 per cent of mortgages originated in Cape Coral, Florida, in 2023 and 2024 are underwater, while 18 per cent of mortgages originated in Austin, Texas, are underwater. Andy Walden, who heads ICE's mortgage and housing market research, believes that borrowers with a limited amount of equity-especially those who just purchased a house recently-are the most likely to be affected by the drop in home prices.

A second source of stress was the return of federal student loan payments and collections in May, according to ICE. A study from ICE McDash and TransUnion revealed that almost 20 per cent of mortgage holders also have student loan debt, a figure which rises to almost 30 per cent for FHA borrowers.

It has been estimated that nearly three-quarters of all underwater loans in recent years are backed by government-backed products, which were widely used during the housing boom by first-time and moderate-income buyers. This represents the entire increase in mortgage delinquencies over the past year, according to ICE.

While negative equity is still a significant limitation for homeowners today because the lending environment is much stricter than it was before the 2008 housing crash, thereby reducing the likelihood of a foreclosure wave, negative equity still carries significant limitations on the market today. There is a possibility that it will lock owners in place, preventing them from selling or refinancing their homes, and while many will continue to make payments without immediate hardship, further price decreases or a weakening job market can only lead to increased financial difficulties.

According to Redfin economist Chen Zhao, by the end of the year, the national home price will drop about 1 peper suggesting that there may be a continued increase in underwater cases. A study from ICE McDash and TransUnion revealed that almost 20 per cent of mortgage holders also have student loan debt, a figure which rises to almost 30 per cent for FHA borrowers.

According to a study, students who have fallen behind on their student loans were four times more likely to fall behind on their mortgage payments, which emphasises the compounding effect student debt has on housing instability. The most vulnerable homeowners are those with mortgages with a low down payment, such as those with FHA and VA loans. It has been estimated that nearly three-quarters of all underwater loans in recent years are backed by government-backed products, which were widely used during the housing boom by first-time and moderate-income buyers. This represents the entire increase in mortgage delinquencies over the past year, according to ICE.

According to Redfin economist Chen Zhao, by the end of the year, the national home price will drop about 1 per cent, suggesting that there may be a continued increase in underwater cases. Although there are considerable equity cushions from pandemic gains and tighter lending standards, which might mitigate broader fallouts, the trend is still regarded as a warning rather than a full-blown crisis at this time. For buyers in vulnerable markets, equity and timing are critical factors to consider when buying.

It has been reported that market analysts are pointing out that there is a transitional housing environment rather than a free fall as a result of the prevailing mix of cooled home prices, changing mortgage structures, and concentrated pockets of negative equity. Several trends have been observed in Florida, Texas, and other high-growth regions, demonstrating how localised market dynamics can differ sharply from national averages. This was particularly evident in areas that experienced rapid appreciation during the pandemic.

According to experts, even though stronger lending standards and high levels of homeowner equity still contain systemic risk, the concentration of vulnerability among recent buyers and borrowers who have made low down payments deserves careful observation. When economic conditions worsen, the combination of mortgage performance, affordability concerns, and external financial pressures, such as student loan obligations, may create stress points in certain markets.

Policymakers, lenders, and prospective buyers alike can take solace from the current data on housing's cyclical nature, which serves to highlight both the cyclical nature of the housing market as well as the need to anticipate how affordability tools, equity positions, and market corrections will connect to each other in the months to come.

Pandora Admits Customer Data Compromised in Security Breach



 

Security Breach

Customer Data CyberCrime Cyberhackers Cybersecurity Data Breach Jewellery Pandora Security Breach

Pandora Admits Customer Data Compromised in Security Breach

A major player in the global fashion jewellery market for many years, Pandora has long been positioned as a dominant force in this field as the world's largest jewellery brand. However, the luxury retailer is now one of a growing number of companies that have been targeted by cybercriminals.

Pandora confirmed on August 5, 2025, that a cyberattack had been launched on the platform used to store customer data by a third party. A Forbes report indicates that the breach was caused by unauthorised access to basic personal information, including customer name and email address. As a result, no passwords, credit card numbers, or any other sensitive financial information were compromised, the company stressed.

In response to the incident, Pandora has taken steps to contain it, improved its security measures, and stated that at the present time, no evidence has been found that suggests that the stolen information has been leaked or misused. There is no doubt that supply chain dependencies can be a vulnerability for attackers due to the recent breach at Danish jewellery giant Pandora, as evidenced by this breach.

The incident, rather than being the result of a direct intrusion into Pandora's core infrastructure, has been traced back to a third-party vendor platform — a reminder of the vulnerability of external services, including customer relationship management tools and marketing automation systems, which can be used by hackers as gateways.

Using this tactic, cybercriminals were able to gain unauthorised access to customer data. Cybercriminals often employ this tactic to facilitate secondary crimes such as phishing, identity theft, and targeted scams. This incident is part of a broader industry challenge, with organisations increasingly outsourcing critical functions while ignoring the security risks associated with these outsourcing agreements.

However, Pandora has not revealed who the third-party platform is; however, it has confirmed that some of Pandora's customer information was accessed through it, so the company's core internal systems remained unaffected by the intrusion. According to the jewellery retailer, the intrusion has been swiftly contained, and additional security measures have been put in place in order to ensure that future attacks do not occur again.

According to the investigation, only the most common types of data - the names, dates, and email addresses of customers - were copied, and there was no compromise of passwords, identity documents or financial information. Several researchers have noted that cybercriminals have been orchestrating social engineering campaigns on behalf of companies and help desks for as long as January 2025, often to obtain Salesforce credentials or trick the staff into authorising malicious OAuth applications.

It is not the only issue that is concerning the retail sector, as Chanel, a French fashion and cosmetics giant, also confirmed earlier this month a cyberattack perpetrated by the ShinyHunter extortion group, reportedly targeting Salesforce applications on August 1 through a social media-based intrusion, causing a significant amount of disruption in the industry.

In the last year, the UK retail sector has been experiencing challenges as a result of cyberattacks that have affected major brands such as M&S, Harrods, and The Co-op. This latest incident comes at a time when the retail sector has been facing an increasing number of cyberattacks. A breach earlier this year resulting in the theft of customer data led M&S to declare a loss of around £300 million for its annual profit.

It has been noted that in recent years, retailers have become prime targets for sophisticated hackers due to the vast amounts of consumer information they collect for marketing purposes and the outdated security infrastructure they use. Many retailers have underinvested in cybersecurity resilience in their pursuit of speed, scale, and convenience, which is something well-organised threat actors, such as Scattered Spider, are exploiting by taking advantage of this gap.

Cybersecurity expert Christoph Cemper advised Pandora customers to remain vigilant against potential phishing emails, warning that such attacks can lead to the theft of sensitive information or financial losses if recipients click malicious links or download harmful attachments. Pandora reaffirmed its commitment to data protection, stating, Cemper, however, emphasised that retailers must adopt more proactive measures to safeguard customer information.

Despite this incident, Pandora stressed the importance of not compromising passwords, payment information, or other sensitive details of customers. Specifically, the incident only involved “very common types of customer data”, including names and e-mail addresses, with no compromises to passwords, payment information, or other sensitive information.

As a result of its investigation, the company stated that no evidence of misuse of the stolen data was found, but it advised customers to remain vigilant, especially in situations where they receive unsolicited emails or ask for personal information online. In its warning to customers, Pandora advised them not to click on unfamiliar links or download attachments from unverified sources.

Pandora did not specify who was responsible for the intrusion, how the hack was executed, or how many people had been affected. Nonetheless, security researchers have been able to link the incident to the ShinyHunters group, which is said to have targeted corporate Salesforce databases with various social engineering and phishing techniques since January 2025.

Several of the members of this group claim that they will "perform a mass sale or leak" of data from companies unwilling to comply with ransom demands. As far as Salesforce is concerned, the company has not been compromised. Its statement attributed these breaches instead to sophisticated phishing attacks and social engineering attacks that have become increasingly sophisticated over the years, reiterating that customers are responsible for safeguarding their data on their own.

Today's interconnected retail environment serves as a reminder that cyber risks are no longer confined to a company's own network perimeter but are now a part of a company's wider digital footprint. It has become increasingly apparent that the lines between internal and external security responsibilities are blurring in light of the increasing use of vulnerability in third-party platforms, social engineering tactics, and overlooked digital entry points.

The stakes for global brands are not limited to immediate disruption to operations. In addition to consumer trust, brand reputation, and regulatory scrutiny, cybersecurity experts agree that a holistic approach is now needed in order to mitigate cyberattacks. In addition to rigorous vendor risk assessments, continuous employee training, advanced threat detection, and resilient incident response frameworks, these strategies are all important.

In an industry like luxury retail that is vulnerable to cyberattacks, Pandora's experience demonstrates what is becoming an increasingly common industry imperative: proactive defences are becoming not just an option but an essential tool for safeguarding the online relationships of customers and protecting their digital assets.

Ingram Micro Faces Alleged Breach by SafePay with Ransom Threat



 

SafePlay

Cyberbreach CyberCrime CyberThreat Data Breach Ingram Ingram Micro Ransom Threat Ransomware SafePlay

Ingram Micro Faces Alleged Breach by SafePay with Ransom Threat

As Ingram Micro is dealing with a widespread outage in its global technology distribution operations that appears to be directly linked to a ransomware attack by the cybercrime group SafePay, the company appears to be experiencing a significant disruption. The company has shut down internal systems due to the incident, which has affected the company's website and online ordering platform since Thursday, according to information obtained by BleepingComputer.

Despite the fact that Ingram Micro is a major business-to-business technology distributor and service provider that offers hardware, software, cloud solutions, logistics, and training to resellers and managed service providers across the world, it has not yet been publicly confirmed what caused the disruption. According to a ransomware group known as SafePay, the group has issued an ultimatum to Ingram Micro, warning that it will publish 3.5 terabytes of allegedly stolen data unless they are paid a ransom by August 1st.

Several prominent warning signs, along with a countdown clock, are prominently displayed on the leak site of the group, increasing the pressure on the California-based technology distributor to enter into negotiations with the group. During an ongoing investigation, Ingram Micro informed the public on 5 July of a ransomware attack, which resulted in certain internal systems being shut down as a precaution.

SafePay did not confirm at that time that any data exfiltration occurred, but now, following the breach, the company claims responsibility and asserts that it has obtained a significant volume of sensitive corporate information. A security researcher has found code similarities to the LockBit ransomware family, suggesting a potential rebrand or offshoot. SafePay started causing threats in late 2024 to at least twenty organisations across different industries.

With the group operating under a double-extortion model, not only do they encrypt compromised systems, but they also threaten victims with leaking their data should they refuse to pay the ransom. In the course of investigating the incident, it has been determined that SafePay was responsible for orchestrating the attack, a comparatively new type of ransomware which emerged between September and November 2024.

Ingram Micro had not attributed the attack to any specific threat actor. However, BleepingComputer has now discovered a link between the breach and the group that employs the double-extortion model, in which data is stolen and encrypted using system encryption, as well as claiming to have compromised more than 200 companies across a wide range of fields, including manufacturing, healthcare, and education.

There has been some speculation that SafePay exploited vulnerabilities in the GlobalProtect VPN platform to gain access to the company and left ransom notes on the company's employee devices. As a result of the attack, Ingram Micro's AI-driven Xvantage distribution system, as well as its Impulse license provisioning platform, both critical components of the organisation's global operations, were reportedly affected by the hack.

According to Ingram Micro's announcement on July 5, a number of internal systems had been identified as infected with malicious software, following a ransomware attack. An immediate precautionary measure was taken by the company to secure its environment, including proactively taking down systems and implementing mitigation measures, and the company announced the following week that global operations were fully back to normal.

There has been no mention of the stolen data, ransom demands, or who was responsible on the company's official incident update page or in its 8-K filing to the Securities and Exchange Commission, as of 7 July. Although the company has continued to acknowledge that it is actively investigating the scope of the incident and the nature of any data affected, it has opted not to comment further on it.

Interestingly, however, the ransomware group SafePay—which claims responsibility for the intrusion—is more forthright, claiming that it has infected 3.5 terabytes of sensitive data and has set the public release deadline of 1 August 2025 if a ransom is not paid. Consequently, a countdown clock is displayed on their leak site stating that if the ransom is not paid, it will release the data publicly.

As an intermediary in the supply chain for major technology vendors, Ingram Micro is the largest reseller and enterprise network in the world, servicing over 160,000 resellers and enterprise customers worldwide. There is a growing concern among security specialists that the exposure of partner agreements, customer records, and proprietary product information may have a far-reaching impact across the technology channel.

From enabling targeted phishing attacks to eroding competitive advantages, the risks are extensive across the technology channel. According to industry consultants, organisations should take steps to strengthen access controls, enforce multifactor authentication, monitor for emerging vulnerabilities, and limit remote access to secured VPNs to prevent such threats.

While Ingram Micro is still investigating the SafePay leak, the persistent countdown clock on the leak site indicates that no agreement has been reached, which makes it more likely for full disclosure of data to occur. If the claimed dataset is made available, vendors, resellers, and end users might have to reset their credentials on a large scale, prepare for targeted scams, and comply with any potential regulatory reporting requirements.

Security researchers are then expected to examine these files for potential indicators of compromise and tactical insights that could mitigate similar attacks in the future, as well as the likelihood of these attacks occurring again. It was in a brief announcement published by Ingram Micro on a Sunday morning that they had been victimised by ransomware attacks, stating that malicious software was detected on several internal systems.

During the investigation, the company reported that it took immediate steps to secure its environment, including the initiation of a proactive shutdown of the affected systems, the implementation of additional mitigation measures, the launch of an investigation with the assistance of leading cybersecurity experts, and the notification of authorities.

Despite the inconvenience caused by Ingram Micro, the company has expressed its sincere apologies to customers, vendors, and partners, as well as a commitment to restoring affected systems so normal order processing and shipping can resume. Palo Alto Networks responded to reports suggesting that attackers had gained access via Ingram Micro's GlobalProtect VPN gateway on 7 Julyemphasisingng that the company was investigating the claims and emphasising that threat actors regularly infiltrate VPNs by using stolen credentials or misconfigured networks.

It was reported that Ingram Micro had made great progress toward restoring transactional operations by 8 July. Subscription orders, renewals, and modifications had been processed globally again through its central support organisation, and customers across multiple countries, including the UK, Germany, France, Italy, Spain, Brazil, India, China, Portugal, and the Nordic countries, were accepting phone or email orders.

There are still some restrictions that apply to hardware and technology orders. Sources also indicate that VPN access has been restored in certain regions. Palo Alto Networks later confirmed that none of the company's products were exploited or compromised by the breach. In spite og only operating for about a year, SafePay has established a substantial footprint in the cybercrime landscape, displaying 265 victims on the dark web leak site it has operated for.

Having been identified in September 2024, this group is believed to have previously deployed LockBit ransomware, though it is unclear whether it is related to LockBit. The SafePay ransomware company claims it is different from many contemporary ransomware operations because it does not utilise affiliates to breach networks as a ransomware-as-a-service model.

A report by Emsisoft’s Brett Callow indicates that this strategy, along with the preference for a low public profile of the group, may be the group’s attempt to avoid the intense scrutiny that law enforcement authorities have been paying for actions taken against other high-profile gangs in recent months. Among the most active ransomware actors worldwide, SafePay is ranked fourth behind Qilin, Akira, and Play in NCC Group's second quarter 2025 report.

It has been estimated that this group is responsible for 70 attacks in May 2025 alone, which makes them the most active ransomware operators in the entire month. Ingram Micro and its global network of partners were impacted by the SafePay attack that led to a cascade of operational, financial and reputational consequences. It was reported that technology resellers, managed service providers, and vendors worldwide were unable to conduct transactions due to the downtime of digital commerce platforms, order processing systems, and cloud license provisioning systems.

As a result of the disruption, hardware and cloud shipments slowed, and downstream partners sought alternate distribution channelsemphasisingng the central role large distributors play in supplying IT products. In the wake of the outage, industry analysts estimate that SafePay has lost up to $136 million in revenue per day, according to industry analysts. SafePay claims to have exfiltrated 3.5 terabytes of sensitive data, including financial, legal, and intellectual property. If its ransom demands are not met, it threatens public release.

The prolonged downtime, along with limited communication from the company, caused criticism from both customers and industry observers. Experts believe that the incident underscores the vulnerable nature of VPNs and identity management systems, especially where multi-factor authentication is lacking, password security is not enforced, and timely patches aren't applied promptly.

The report also reflects the increasing use of double-extortion tactics, which combine system encryption with the threat of sensitive data leaks to achieve double extortion. Thus, organisations must prepare not only for the restoration of services, but also for possible repercussions in terms of privacy and legality. Although Ingram Micro had restored global services on 30 July 2025, it remains under continuous extortion threat, and the company is still undergoing an extensive forensic investigation.

As a result of the Ingram Micro incident, ransomware operations have become increasingly sophisticated and persistent, where a technical compromise is just the beginning of a broader campaign of intimidation and leverage. The tactics employed by SafePay—combining the operational paralysis of core systems with the looming threat of massive data loss—illustrate how modern cyberattacks are built to exert sustained pressure on victims for quite some time after initial containment measures have been completed.

It has served as a reminder for global supply chain operators that security perimeters must extend far beyond traditional network defenses, including identity verification, remote access governance, and proactive vulnerability management, in addition to traditional network defenses. In light of the interconnected nature of modern information technology ecosystems, it is evident that disruptions can cause shockwaves across multiple industries and markets if a single node is disrupted.

Several experts have noted that in the wake of high-profile supply chain breaches, threat actors are likely to be more focused on distributors and service aggregators, since they have extensive vendor and customer relationships, which have the potential to increase the impact of financial gains and reputational harm. It is also likely that regulatory bodies will examine these incidents with greater care, particularly where they involve the disclosure of sensitive partner information or customer information, which can result in broader compliance obligations as well as legal liabilities.

Taking Ingram Micro to the next level will require not only the resolution of immediate security and operational issues, but also the rebuilding of trust with the vast network of customers and partners the company has cultivated.

To reduce the long-term repercussions of the incident, it is crucial to be transparent in communications following the incident, to demonstrate security enhancements, and to collaborate with the industry to share intelligence on emerging threats. In the course of the investigation, it is likely to become an important reference point for cybersecurity strategy debates, as well as in shaping future policy aimed at protecting global supply chains against cybersecurity threats.

Cybercrime-as-a-Service Drives Surge in Data Breaches and Stolen Credentials



 

Katz

Atlantis AIO CaaS Credentials Theft CyberCrime cybercriminals Cybersecurity Data Breach Data Harvesting SDK data security Data Theft Flashpoint infostealers Katz

Cybercrime-as-a-Service Drives Surge in Data Breaches and Stolen Credentials

The era of lone cybercriminals operating in isolation is over. In 2025, organized cybercrime groups dominate the threat landscape, leveraging large-scale operations and sophisticated tools to breach global organizations. Recent intelligence from Flashpoint reveals a troubling surge in cyberattacks during just the first half of the year, showing how professionalized cybercrime has become — particularly through the use of Cybercrime-as-a-Service (CaaS) offerings.

One of the most alarming findings is the 235% rise in data breaches globally, with the United States accounting for two-thirds of these incidents. These breaches exposed an astounding 9.45 billion records. However, this number is eclipsed by the dramatic 800% increase in stolen login credentials. In total, threat actors using information-stealing malware compromised more than 1.8 billion credentials in just six months.

These tools — such as Katz Stealer or Atlantis AIO — are widely accessible to hackers for as little as $30, yet they offer devastating capabilities, harvesting sensitive data from commonly used browsers and applications. Flashpoint’s report emphasizes that unauthorized access, largely facilitated by infostealers, was the initial attack vector in nearly 78% of breach cases.

These tools enable threat actors to infiltrate organizations and pivot across networks and supply chains with ease. Because of their low cost and high effectiveness, infostealers are now the top choice for initial access among cybercriminals. This rise in credential theft coincides with a 179% surge in ransomware attacks during the same period.

According to Ian Gray, Vice President of Cyber Threat Intelligence Operations at Flashpoint, this dramatic escalation highlights the industrial scale at which cybercrime is now conducted. The report suggests that to counter this growing threat, organizations must adopt a dual strategy: monitor stolen credential datasets and set up alert systems tied to specific compromised domains.

Furthermore, the report advocates for moving beyond traditional password-based authentication. Replacing passwords and basic two-factor authentication (2FA) with passkeys or other robust methods can help reduce risk.

As cybercriminal operations grow increasingly professional, relying on outdated security measures only makes organizations more vulnerable. With CaaS tools making sophisticated attacks more accessible than ever, companies must act swiftly to enhance identity protection, tighten access controls, and build real-time breach detection into their infrastructure.

The rapid evolution of cybercrime in 2025 is a stark reminder that prevention and preparedness are more critical than ever.

How Age Verification Measures Are Endangering Digital Privacy in the UK



 

VPN

Age Verification CyberCrime Cyberhackers Cybersecurity CyberThreat Digital Privacy Privacy VPN

How Age Verification Measures Are Endangering Digital Privacy in the UK

A pivotal moment in the regulation of the digital sphere has been marked by the introduction of the United Kingdom's Online Safety Act in July 2025. With the introduction of this act, strict age verification measures have been implemented to ensure that users are over the age of 25 when accessing certain types of online content, specifically adult websites.

Under the law, all UK internet users have to verify their age before using any of these platforms to protect minors from harmful material. As a consequence of the rollout, there has been an increase in circumvention efforts, with many resorting to the use of virtual private networks (VPNs) in an attempt to circumvent these controls.

As a result, a national debate has arisen about how to balance child protection with privacy, as well as the limits of government authority in online spaces, with regard to child protection. A company that falls within the Online Safety Act entails that they must implement stringent safeguards designed to protect children from harmful online material as a result of its provisions.

In addition to this, all pornography websites are legally required to have robust age verification systems in place. In a report from Ofcom, the UK's regulator for telecoms and responsible for enforcing the Child Poverty Act, it was found that almost 8% of children aged between eight and fourteen had accessed or downloaded a pornographic website or application in the previous month.

Furthermore, under this legislation, major search engines and social media platforms are required to take proactive measures to keep minors away from pornographic material, as well as content that promotes suicide, self-harm, or eating disorders, which must not be available on children's feeds at all. Hundreds of companies across a wide range of industries have now been required to comply with these rules on such a large scale.

The United Kingdom’s Online Safety Act came into force on Friday. Immediately following the legislation, a dramatic increase was observed in the use of virtual private networks (VPNs) and other circumvention methods across the country. Since many users have sought alternative means of accessing pornographic, self-harm, suicide, and eating disorder content because of the legislation, which mandates "highly effective" age verification measures for platforms hosting these types of content, the legislation has led some users to seek alternatives to the platforms.

The verification process can require an individual to upload their official identification as well as a selfie in order to be analysed, which raises privacy concerns and leads to people searching for workarounds that work. There is no doubt that the surge in VPN usage was widely predicted, mirroring patterns seen in other nations with similar laws. However, reports indicate that users are experimenting with increasingly creative methods of bypassing the restrictions imposed on them.

There is a strange tactic that is being used in the online community to trick certain age-gated platforms with a selfie of Sam Porter Bridges, the protagonist of Death Stranding, in the photo mode of the video game. In today's increasingly creative circumventions, the ongoing cat-and-mouse relationship between regulatory enforcement and digital anonymity underscores how inventive circumventions can be.

Virtual private networks (VPNs) have become increasingly common in recent years, as they have enabled users to bypass the United Kingdom's age verification requirements by routing their internet traffic through servers that are located outside the country, which has contributed to the surge in circumvention. As a result of this technique, it appears that a user is browsing from a jurisdiction that is not regulated by the Online Safety Act since it masks their IP address.

It is very simple to use, simply by selecting a trustworthy VPN provider, installing the application, and connecting to a server in a country such as the United States or the Netherlands. Once the platform has been active for some time, age-restricted platforms usually cease to display verification prompts, as the system does not consider the user to be located within the UK any longer.

Following the switch of servers, reports from online forums such as Reddit indicate seamless access to previously blocked content. A recent study indicated VPN downloads had soared by up to 1,800 per cent in the UK since the Act came into force. Some analysts are arguing that under-18s are likely to represent a significant portion of the spike, a trend that has caused lawmakers to express concern.

There have been many instances where platforms, such as Pornhub, have attempted to counter circumvention by blocking entire geographical regions, but VPN technology is still available as a means of gaining access for those who are determined to do so. Despite the fact that the Online Safety Act covers a wide range of digital platforms besides adult websites that host user-generated content or facilitate online interaction, it extends far beyond adult websites.

The same stringent age checks have now been implemented by social media platforms like X, Bluesky, and Reddit, as well as dating apps, instant messaging services, video sharing platforms, and cloud-based file sharing services, as well as social network platforms like X, Bluesky, and Reddit. Because the methods to prove age have advanced far beyond simply entering the date of birth, public privacy concerns are intensified.

In the UK’s communications regulator, Ofcom, a number of mechanisms have been approved for verifying the identity of people, including estimating their facial age by uploading images or videos, matching photo IDs, and confirming their identity through bank or credit card records. Some platforms perform these checks themselves, while many rely on third-party providers-entities that will process and store sensitive personal information like passports, biometric information, and financial information.

The Information Commissioner's Office, along with Ofcom, has issued guidance stating that any data collected should only be used for verification purposes, retained for a limited period of time, and never used to advertise or market to individuals. Despite these safeguards being advisory rather than mandatory, they remain in place.

With the vast amount of highly personal data involved in the system and its reliance on external services, there is concern that the system could pose significant risks to user privacy and data security. As well as the privacy concerns, the Online Safety Act imposes a significant burden on digital platforms to comply with it, as they are required to implement “highly effective age assurance” systems by the deadline of July 2025, or face substantial penalties as a result.

A disproportionate amount of these obligations is placed on smaller companies and startups, and international platforms must decide between investing heavily in UK-specific compliance measures or withdrawing all services altogether, thereby reducing availability for British users and fragmenting global markets. As a result of the high level of regulatory pressure, in some cases, platforms have blocked legitimate adult users as a precaution against sanctions, which has led to over-enforcement.

Opposition to this Act has been loud and strong: an online petition calling for its repeal has gathered more than 400,000 signatures, but the government still maintains that there are no plans in place to reverse it. Increasingly, critics assert that political rhetoric is framed in a way that implies tacit support for extremist material, which exacerbates polarisation and stifles nuanced discussion.

While global observers are paying close attention to the UK's internet governance model, which could influence future internet governance in other parts of the world, global observers are closely watching it. The privacy advocates argue that the Act's verification infrastructure could lead to expanded surveillance powers as a result of its comparison to the European Union's more restrictive policies toward facial recognition.

There are a number of tools, such as VPNs, that can help individuals protect their privacy if they are used by reputable providers who have strong encryption policies, as well as no-log policies, which are in place to ensure that no data is collected or stored. While such measures are legal, experts caution that they may breach the terms of service of platforms, forcing users to weigh privacy protections versus the possibility of account restrictions when implementing such measures.

The use of "challenge ages" as part of some verification systems is intended to reduce the likelihood that underage users will slip through undetected, since they will be more likely to be detected if an age verification system is not accurate enough. According to Yoti's trials, setting the threshold at 20 resulted in fewer than 1% of users aged 13 to 17 being incorrectly granted access after being set at 20.

Another popular method of accessing a secure account involves asking for formal identification such as a passport or driving licence, and processing the information purely for verification purposes without retaining the information. Even though all pornographic websites must conduct such checks, industry observers believe that some smaller operators may attempt to avoid them out of fear of a decline in user engagement due to the compliance requirement.

In order to take action, many are expected to closely observe how Ofcom responds to breaches. There are extensive enforcement powers that the regulator has at its disposal, which include the power to issue fines up to £18 million or 10 per cent of a company's global turnover, whichever is higher. Considering that Meta is a large corporation, this could add up to about $16 billion in damages. Further, formal warnings, court-ordered site blocks, as well as criminal liability for senior executives, may also be an option.

For those company leaders who ignore enforcement notices and repeatedly fail to comply with the duty of care to protect children, there could be a sentence of up to two years in jail. In the United Kingdom, mandatory age verification has begun to become increasingly commonplace, but the long-term trajectory of the policy remains uncertain as we move into the era.

Even though it has been widely accepted in principle that the program is intended to protect minors from harmful digital content, its execution raises unresolved questions about proportionality, security, and unintended changes to the nation's internet infrastructure. Several technology companies are already exploring alternative compliance methods that minimise data exposure, such as the use of anonymous credentials and on-device verifications, but widespread adoption of these methods depends on the combination of the ability to bear the cost and regulatory endorsement.

It is predicted that future amendments to the Online Safety Act- or court challenges to its provisions-will redefine the boundary between personal privacy and state-mandated supervision, according to legal experts. Increasingly, the UK's approach is being regarded as an example of a potential blueprint for similar initiatives, particularly in jurisdictions where digital regulation is taking off.

Civil liberties advocates see a larger issue at play than just age checks: the infrastructure that is being constructed could become a basis for more intrusive monitoring in the future. It will ultimately be decided whether or not the Act will have an enduring impact based on not only its effectiveness in protecting children, but also its ability to safeguard the rights of millions of law-abiding internet users in the future.

Sharp Increase in Ransomware Incidents Hits Energy Sector



 

Zscaler

Cyber Attacks CyberCrime Cybersecurity Data Exploit Digital Security Ransomware Security Infrastructure Security Vulnerabilities VPN Zero Trust Zscaler

Sharp Increase in Ransomware Incidents Hits Energy Sector

The cyber threat landscape is constantly evolving, and ransomware attacks have increased in both scale and sophistication, highlighting how urgent it is for enterprises to take a strategic approach to cybersecurity. A survey conducted by Zscaler in 2025 found that ransomware incidents increased 146% over the past year.

Ten prominent groups took 238 terabytes of data from their servers over the past year, nearly doubling the 123 terabytes they stole a year ago. There has been an alarming 900% increase in attacks in the oil and gas industry, largely attributed to the development of digital infrastructure as well as unresolved security vulnerabilities. Additionally, manufacturing, technology, and healthcare have all been affected by this increase, resulting in more than 2,600 reported incidents combined.

A large percentage of ransomware cases were reported in the United States, which accounts for more than twice the total number of cases reported in the next 14 most affected countries combined. According to experts, threat actors are increasingly turning to generative artificial intelligence (AI) in order to streamline operations and perform more targeted and efficient attacks. This shift corresponds with the growing preference for data extortion over traditional file encryption, resulting in more effective attacks.

In response to these evolving tactics, cybersecurity leaders are advocating the widespread adoption of Zero Trust architecture in order to prevent large-scale data loss and contain lateral movement within networks. The rise of digital transformation is accelerating the use of ransomware actors to launch increasingly sophisticated attacks on critical infrastructure sectors while automating and leveraging vulnerable industrial control systems as a source of attack.

A dramatic increase in the number of attacks on the oil and gas industry was attributed to expanding digital footprints and security lapses, whereas Zscaler's latest research indicates that manufacturing, information technology, and healthcare are the sectors that are most frequently targeted by cybercriminals. This attack disproportionately affected the United States, as there were 3,671 ransomware incidents registered in this country, which is more than any of the next 14 most targeted countries combined.

Over the past year, 238 terabytes of data were exfiltrated in ransomware campaigns, a 92% increase over last year. In the April-to-April period, RansomHub emerged as the most active ransomware group, followed by Akira and Clop in a close second place. These intrusions were largely caused by vulnerabilities that were known to exist in widely used enterprise technologies, such as VMware hypervisors, Fortinet and SonicWall VPNs, and Veeam backup software, making the critical need for proactive vulnerability management and real-time threat detection to be implemented across all levels of IT and operational infrastructure even clearer.

In recent years, cybercriminal groups have adopted more targeted and scalable approaches to extortion, which is reshaping the global ransomware landscape. According to Zscaler's ThreatLabz Ransomware Report for 2025, RansomHub, Akira, and Clop are the three most prolific groups, each of which has claimed more than 850 victims, 520 victims, and 488 victims, respectively.

The success of Ariara is attributed primarily to its affiliate-based operation model and close collaboration with initial access brokers, while Clop has continued to exploit vulnerabilities in commonly used third-party software to execute impactful supply chain attacks in the last few years. In spite of the high-profile actors involved in this reporting period, Zscaler tracked 425 ransomware groups, so this is just a small part of a much broader and rapidly growing ecosystem. 34 new ransomware groups were created during the reporting period.

In addition, according to this report, a significant proportion of ransomware campaigns were exploiting a limited range of critical software vulnerabilities, primarily in internet-facing technologies such as SonicWall VPNs and Fortinet VPNs, VMware hypervisors, Veeam backup tools, and SimpleHelp remote access servers.

It is due to their widespread deployment and ease of discovery through simple scanning techniques that these vulnerabilities remain so attractive. This allows both veteran and newly formed groups of hackers to launch high-impact attacks more effectively and with greater precision. The ransomware ecosystem continues to grow at an alarming rate, and there have been unprecedented numbers of groups launching ransomware attacks.

There have been 34 new ransomware gangs reported by Zscaler between April 2024 and April 2025, totalling 425 groups that have been tracked so far. Clearly, the significant growth in ransomware over recent years is a reflection of the enduring appeal of ransomware as an attractive criminal model, and it demonstrates how sophisticated and agile cybercriminal organisations have become over the last few years.

Even though the continued rise in new ransomware actors is a concern, some signs sustained law enforcement action and stronger cybersecurity frameworks are beginning to help counteract this trend, as well as strong cybersecurity frameworks. To dismantle ransomware infrastructures, sixteen illicit assets, and disrupt cybercrime networks, international efforts are increasing pressure on cybercriminals. Not only can these actions impede operational capabilities, but they may also serve as a psychological deterrent, preventing emerging gangs from maintaining momentum or evading detection.

Experts suggest, even in spite of the complexity and evolution of ransomware threats, that efforts by law enforcement agencies, cybersecurity professionals, and private sector stakeholders are beginning to make a meaningful contribution to combating ransomware threats. In spite of the growth of the number of threat groups, it is becoming increasingly difficult for these groups to sustain operations over the long run.

In the face of the global ransomware threat, there is a cautious but growing sense of optimism, as long as we continue to collaborate and be vigilant. In terms of ransomware activity, there is still a stark imbalance in the distribution of attacks across the globe. The United States remains, by a wide margin, the nation that has been hit the most frequently.

The 2025 ThreatLabz report from Zscaler indicates that 50 per cent of all ransomware attacks originated from U.S.-based organisations, totalling 3,671 incidents - more than double the total number of attacks reported across the next 14 most targeted countries combined. The United Kingdom and Canada ranked distantly behind the US and Canada, respectively, with only 5 and 4 per cent of global incidents.

This concentration of attacks is a result of the strategic targeting of highly dense, high-value economies by threat actors looking for maximum disruption and financial gain as a result of their actions. In this surge, several prominent ransomware groups were at the forefront, including RansomHub, which had 833 victims publicly identified by the media.

As an affiliate program and partnership with initial access brokers helped Akira rise to prominence, involving 520 victims, it became a leading ransomware group. A close second was Clop, which had 488 victims, using its proven tactics to leverage vulnerable third-party software, in order to carry out large-scale supply chain attacks using vulnerable third-party software.

Zscaler identified 34 new ransomware families in the past year, increasing the total number of tracked groups from 425 to 425. There are more than 1,000 ransomware notes available on GitHub, with 73 new samples being added every day within the past year, highlighting the scale of the threat and its persistence. With the increasing threat landscape, Zscaler continues to advance its Zero Trust Exchange framework, powered by artificial intelligence, to combat ransomware at every stage of its lifecycle.

By replacing legacy perimeter-based security models with this platform, you will be able to minimise attack surfaces, block initial compromises, eliminate lateral movement, and stop data exfiltration that was previously possible.

As part of Zscaler’s architecture, which is enhanced with artificial intelligence-driven capabilities like breach prediction, phishing and command and control detection, inline sandboxing, segmentation, dynamic policy enforcement, and robust data loss prevention, we can take an active and scalable approach to ransomware mitigation, aligning with the evolving needs of modern cybersecurity.

Increasingly, ransomware is becoming a systemic risk across digital economies, which makes it essential for enterprises and governments to develop comprehensive, forward-looking cyber defence strategies. As a result of the convergence of industrial digitisation, widespread software vulnerabilities, and the emergence of ransomware-as-a-service (RaaS) models, the global threat landscape is changing in ways that require both public and private sectors to take immediate action.

The attacks have not only caused immediate financial and operational losses, but they have also now threatened national security, supply chain resilience, and public infrastructure, particularly within high-value, interconnected industries like the energy industry, manufacturing industry, healthcare industry, and technology industry. Leaders in cybersecurity have increasingly advocated for a paradigm shift from reactive control measures to proactive cyber resilience strategies.

Embedding zero trust principles into organization infrastructure, modernising legacy systems, and investing in artificial intelligence-driven threat detection are some of the steps that are required to achieve this objective, as well as building intelligence-sharing ecosystems between private companies, governments, and law enforcement agencies.

There is also a constant need to evaluate the role of artificial intelligence in both attack and defence cycles, where defenders have the need to outperform their adversaries by automating, analysing, and enforcing policy in real time. As for the policy level, the increased use of ransomware underscores the need for globally aligned cybersecurity standards and enforcement frameworks.

Isolated responses cannot be relied upon anymore when transnational threat actors leverage decentralized infrastructure and exploit jurisdictional loopholes in order to exploit them. In order to disrupt the ransomware economy and regain trust in the digital world, a holistic collaboration is essential that involves advanced technologies, legal deterrents, and public awareness.

While there is no indication that ransomware is going away anytime soon, the progress being made in detecting threats, managing vulnerabilities, and coordinating cross-border responses offers a path forward as long as we work together on these improvements. The need to protect digital assets and ensure long-term operational continuity is not just a matter of IT hygiene anymore – it has become a foundational pillar of enterprise risk management, and therefore a crucial component for the management of business continuity in today's environment.

Cybercriminals Exploit Unprecedented Data Exposure in 141 Million File Leak



 

Social Security Numbers

141 Million File Leak CyberCrime Cybersecurity CyberThreat Data Breach Financial Breach intellectual property ITRC PII Social Security Numbers

Cybercriminals Exploit Unprecedented Data Exposure in 141 Million File Leak

Digital transformation has transformed cybersecurity from a technical safeguard to a strategic imperative for business continuity, consumer trust, and national security, particularlyin an era wofrapid digital transformation With the rise of digital infrastructure and the advent of data as the new currency, cyber threats have increased in scale, frequency, and sophistication, placing significant pressure on public and private sectors to reassess their cybersecurity strategies.

The Identity Theft Resource Center (ITRC) reported that the United States had experienced the most data breaches in its history in 2021, or 1,862 breaches compared to 2020. These breaches disrupted a wide range of industries, including healthcare, finance, retail, and energy. It is anticipated that in 2023 and beyond, artificial intelligence, nation-state actors, and global cybercrime syndicates will be the driving force behind even more advanced attack vectors. In order to prevent these threats, cybersecurity frameworks need to be proactive, resilient, and adaptive.

A growing dependence on digital ecosystems has resulted in cybersecurity becoming an essential business enabler, impacting risk management, compliance, innovation, and investor confidence across a broad range of industries. There is no denying that the security landscape has reached an important inflexion point amid the growing complexity of digital technology. Earlier this year, 141 million compromised files were linked to 1,297 distinct ransomware and data breach incidents, which underscored the sobering inflexion point in the cybersecurity landscape.

There is a staggering amount of sensitive, unstructured data being stolen in modern cyberattacks, causing the attention to shift from conventional credential theft to a wider range of sensitive, unstructured data as a result of this groundbreaking study. As opposed to previous breach assessments, which focused on structured databases and login information, this study examines the unstructured files in corporate systems, often the most valuable and vulnerable assets.

It is believed that these files contain financial records, personally identifiable information (PII), internal communications, and cryptographic security keys, which give cybercriminals an insight into how organisations operate. These findings demonstrate not only the extent to which data is exposed in a variety of sectors, but also the inadequacy of traditional security postures when it comes to securing today’s data-rich environment as it pertains to data security.

Cyberattacks are becoming more surgical and data-centric as they become increasingly sophisticated. To keep their businesses safe, enterprises must implement advanced threat intelligence, encryption, and zero-trust architectures into their cybersecurity strategies at the core. According to our investigation, there is a very alarming degree of personal data exposure in the current breach landscape, with four out of five incidents having compromised personal data, including information about individual customers and business entities.

Especially troubling is the discovery that 67% of the data analysed originated from routine customer service interactions. This underscores the fact that everyday communications have been exposed as being extremely vulnerable. A major weakness was identified as email correspondence, with over half of the breaches (51%) involving emails containing Social Security numbers (highly sensitive identifiers that, once exposed, created enduring risks because of their immutability and centrality to a wide range of financial and governmental systems created enduring risks.

As a matter of concern, cryptographic keys were detected in 18% of analysed breaches. When these keys, which underpin security protocols such as encryption and authentication, are compromised, they can provide an unprecedented amount of risk for the organisation. This can result in the degradation of digital trust and the enabling of unauthorised access to protected systems as a result. Since cryptographic keys are more difficult to replace than passwords and often require systemic overhauls to be properly maintained, their exposure is a critical security risk.

Increasingly, attackers are shifting from encrypting files to stealing and exchanging sensitive data in order to compound these risks as ransomware tactics evolve. Among the major threat groups, data exfiltration has increased by 92% year-over-year, and the number of ransomware attacks blocked has increased by 146%, thus signalling a shift towards monetising breached information as opposed to traditional ransom demands.

Cybercriminals are embarking on a profound shift in their playbook of cybercriminals, which leaves organisations under pressure to cope with both operational disruptions as well as the reputational consequences. There was 17% of exposed data consisting of source code and other intellectual property. This posed a serious risk to innovation-driven businesses. When proprietary code is leaked, not only does it undermine competitive advantage, but it also gives adversaries a deep understanding of the vulnerabilities within an application, compromising years of strategic development for an adversary.

Cybercriminals are targeting a trove of unstructured, public, and sensitive data in the modern day, which represents an increasingly sophisticated trove of data, far more sensitive than the traditional theft of usernames and passwords. According to a comprehensive analysis of 141 million compromised files resulting from nearly 1,300 ransomware and breach incidents, cyberattackers are increasingly targeting confidential business documents, financial records, internal communications, and source code—assets that can offer exponentially more value than just login credentials alone—as assets that are extremely valuable. In the majority of these cases, financial documents were found in 93% of the incidents, with 41% of the exposed material consisting of these files.

In almost half of these breaches, bank statements were found in the datasets, and International Bank Account Numbers (IBANs) were present in 36% of the datasets, which clearly indicated that the information stolen was both accurate and useful. Unstructured data, such as contracts, meeting notes, configuration files, and emails, is often not encrypted or protected in a way that makes them prime targets for hackers, as opposed to structured databases.

Approximately 82% of breaches involved personally identifiable information (PII), most of which was embedded in customer service communication, which often contained detailed information about verifications and complaint histories. There were a number of breaches analysed that also exposed emails with Social Security Numbers, and 18% of those contained cryptographic keys that could undermine authentication systems and enable persistence of access to the data.

In addition to the threat, there are now cybercrime as-a-service platforms that allow the users to rent information-stealing malware for a very low price and then use it to harvest vast amounts of data from unprotected systems, compounding the threat. The dark web market is rumoured to be flooded with billions of login credentials, yet analysts believe the most valuable commodities in this century are source code, legal contracts, business plans, and sensitive client records, all of which are often hidden in cloud repositories or inadequately secured file-sharing drives.

A cybercriminal can adapt to the new climate by adapting their methods accordingly, operating more like a data scientist, sorting, categorising, and exploiting leaked information in a calculated manner so that they can infiltrate, steal information, commit fraud, and sabotage operations for the long run. In light of these findings, organisations must adopt holistic data protection strategies that go beyond the traditional perimeter-based security models in order to protect their data from threats.

The threat of cyberattacks is increasing, and businesses must prioritise the implementation of advanced data classification systems that can accurately identify and categorise high-value information to protect themselves from cybersecurity threats. Whenever sensitive documents are being transferred, it is extremely important to apply rigorous encryption to ensure they are protected from unauthorised access, both at rest and during transit.

Continuous monitoring solutions are equally important in shared environments where visibility is often limited, and it is imperative that continuous monitoring solutions detect anomalous data access patterns. As part of a security assessment, it is essential to perform a detailed inventory of all data repositories, focusing in particular on unstructured files that often fail to attract traditional security oversight, but contain critical business information.

The use of cryptographic keys and other foundational security assets requires strict access controls and dedicated monitoring to prevent unauthorised use or exposure. Human error is still the greatest vulnerability; therefore, it is necessary to enhance employee awareness programs in order to highlight the risks associated with embedding sensitive information in routine communications, such as emails, meeting notes, and unsecured attachments, so that this vulnerability does not occur.

Organizations can mitigate the increasing risks associated with today's data-centric threat landscape by cultivating a culture of security-conscious behavior and strengthening the governance of data lifecycle management as well as fostering a culture of security-conscious behavior. In light of the rapid growth and complexity of the digital threat environment, the cybersecurity community has reached an inflexion point that is requiring a more forward-looking approach to cybersecurity rather than reactive band-aid solutions.

A fundamental shift in mindset is needed at this transformative moment. Cybersecurity is no longer viewed as just another compliance checkbox; it is an integral component of digital infrastructure and enterprise risk management. In order for cybersecurity to be a tool of growth instead of a constraint, board members, CISOs, and IT leaders must collaborate across functional lines to align security priorities with company goals, ensuring that cybersecurity is a tool to enable growth, not a hindrance. Investing in cyber resilience cannot be limited to technology alone, but should also include vendor risk management, incident response readiness, and strategic threat models as well.

In today's world, new technologies exist that provide new avenues for the detection and neutralisation of threats before they become an epidemic, including AI-powered behavioural analytics, deception-based defences, and cloud-native security platforms. As regulatory frameworks tighten around the world, companies have to demonstrate transparency, accountability, and proactive data governance in order to meet the demands of these regulators.

It is clear that organisations operating in today’s volatile cyberscape need to embrace the lessons learned from the past: protecting their digital environment is no longer just about building taller walls, but also cultivating intelligence, adaptability, and resilience at every level. When organisations fail to evolve, they risk more than just operational disruptions; they also risk compromising their reputations, stakeholder trust, and long-term viability in this age of data becoming a permanent weapon in the hands of adversaries, once breached. In this climate of cybercrime, cybersecurity is no longer just a defensive function but a core business necessity to be able to survive and grow.

Search This Blog

Sections

Popular Posts

Blog Archive

Labels

Report Abuse

About Me

Showing result(s) for

Popular Posts

Pages

Microsoft Flaw Blamed as Hackers Breach Canada’s House of Commons

Black Hat 25 Reveals What Keeps Cyber Experts Awake

Pro-Russian Hackers Breach Norwegian Dam Systems

Rising Underwater Mortgages Signal Strain in Florida and Texas Property Markets

Pandora Admits Customer Data Compromised in Security Breach

Ingram Micro Faces Alleged Breach by SafePay with Ransom Threat

Cybercrime-as-a-Service Drives Surge in Data Breaches and Stolen Credentials

How Age Verification Measures Are Endangering Digital Privacy in the UK

Sharp Increase in Ransomware Incidents Hits Energy Sector

Cybercriminals Exploit Unprecedented Data Exposure in 141 Million File Leak

Footer About

Search This Blog

Sections

Popular Posts

Blog Archive

Labels

About Me

Showing result(s) for

Popular Posts

Pages

Menu Item