Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Data Breach. Show all posts
SQL Database
Accounting Firm API Data Breach Ernst & Young SQL Database

Ernst & Young Exposes 4TB Database Backup Online, Leaking Company Secrets

 

Ernst & Young (EY), one of the world’s largest accounting firms, reportedly left a massive 4TB SQL database backup exposed online, containing highly sensitive company secrets and credentials accessible to anyone who knew where to find it. 

The backup, in the form of a .BAK file, contained not only schema and stored procedures but also application secrets, API keys, session tokens, user credentials, cached authentication tokens, and service account passwords. Security researchers from Neo Security discovered this alarming exposure during routine tooling work, verifying that the file was indeed publicly accessible.

The researchers emphasized that an exposed database backup like this is equivalent to releasing the master blueprints and keys to a vault, noting that such exposure could lead to catastrophic consequences, including large-scale breaches and ransomware attacks. Due to legal and ethical concerns, the researchers did not download the backup in full, but they warned that any skilled threat actor could have already accessed the data, potentially leading to severe security fallout.

Upon discovering the issue, Neo Security promptly alerted EY, who were praised for their professional and prompt response; the company did not deflect, show defensiveness, or issue legal threats, but instead acknowledged the risk and began triaging the problem. Despite the quick engagement, EY took a full week to remediate the issue, which is considered a significant delay given the urgency and potential for malicious exploitation in such security incidents.

The breach highlights the dangers of misconfigured cloud storage and the need for organizations, especially those handling sensitive data, to rigorously audit and secure their backups and databases. The exposure of such a large database could have resulted in the theft of proprietary information, customer data, and even facilitated coordinated cyberattacks on EY and its clients.

Experts urge companies to assume that any publicly accessible database backup may have already been compromised, as even a brief window of exposure can be enough for malicious actors to exploit the data. The incident underscores the importance of robust security practices, regular audits, and rapid incident response protocols to minimize the risk and impact of data breaches.

This incident serves as a cautionary tale for organizations to take extra precautions in securing all forms of sensitive data, especially those stored in backups, and to act swiftly to remediate publicly exposed databases.
Read more »
Svenska Kraftnät
Critical Infrastructure Cyber Threats Cybersecurity Data Breach Everest Ransomware Network Protection Power Grid Security Ransomware attack Svenska Kraftnät

Sweden Confirms Power Grid Breach Amid Growing Ransomware Concerns

 


Swedish power grid operator, Suderland, has confirmed it is investigating a security incident related to a potential ransomware attack aimed at decrypting sensitive data as part of its ongoing cybersecurity investigation, a revelation that has stirred alarm across Europe's critical infrastructure community.

It has been revealed by Svenska kraftnät, the state-owned company in charge of ensuring the nation's electricity transmission networks, that a criminal group has threatened to release what it claims to be hundreds of gigabytes of internal data allegedly stolen from the organization's computer system in order to sell it to the public. It appears, based on initial findings, that the breach occurred solely through a limited external file transfer platform, and officials stressed that the electricity supply and core grid of Sweden have not been affected.

In spite of this, the revelation has raised alarm about the threat to critical energy infrastructure from cyber extortion, which has increased as authorities continue to figure out exactly how extensive and damaging the cyber extortion attack has been. A breach which took place on October 26, 2025, reverberated throughout the cybersecurity landscape across Europe, highlighting the fragility of digital defences protecting critical infrastructure for the first time. 

In response to claims made by the notorious Everest ransomware group, Sweden's government-owned electricity transmission company, which plays a crucial role in the stability of the country's power grid, confirmed a data compromise had been confirmed by Svenska kraftnät. In spite of the fact that the full scope of the intrusion is still being investigated, early indications suggest that the attackers may have obtained or exfiltrated sensitive internal data as part of the intrusion. 

It has been reported that the Everest group, notorious for coordinated extortion campaigns and sophisticated methods of network infiltration, has publicly accepted responsibility, increasing scrutiny of both national and international cybersecurity authorities. Such attacks on critical national infrastructure (CNI), according to experts, have far-reaching consequences, threatening both operational continuity as well as economic stability and public confidence, among others. 

It has rekindled the need to strengthen cyber resilience frameworks, to collaborate on threat intelligence, and to increase vigilance across essential service providers to prevent similar disruptions in the future. Despite the intrusion, officials have assured that the nation's power transmission and supply operations remain fully operational, with no signs that mission-critical infrastructure will be affected by the intrusion. 

The extent to which the organisation has been compromised is still being investigated while securing affected systems and assessing the nature of the leaked information. In spite of the fact that it is still uncertain to what extent the breach has affected the organisation, early reports suggest that around 280 gigabytes of internal data may have been stolen. An established cybercrime group known as Everest has claimed responsibility for the recent attack on Svenska Kraftnät, and they have listed Svenska Kraftnät among their victims on a Tor-based data leak website, which was launched in late 2020. 

A notorious group for extortion and cyberattacks, the group has been previously linked to high-profile incidents such as Collins Aerospace's cyberattack, which disrupted operations at several European airports as a result. Despite the increasing boldness of ransomware actors to attack key entities of national infrastructure, the latest claim against Sweden's key power operator is a clear indication of what is happening. 

In the process of investigating the incident, Svenska kraftnät continues to maintain close coordination with law enforcement and cybersecurity agencies to identify the perpetrators and mitigate further risks. Despite the fact that this incident has been isolated, it is nonetheless an indication of the escalating cyber threat landscape affecting critical infrastructure providers, where even isolated system failures can pose significant risks to national stability and public confidence. 

Svenska kraftnät has confirmed to the media that Cem Göcgoren, Head of Information Security at Svenska kraftnät, is leading a comprehensive forensic investigation to determine the nature and extent of the data compromised during the cyberattack, as well as to assess the level of damage that has been caused. It has been determined that the breach of security did not affect Sweden's transmission or distribution systems, with officials reassuring that the country's electricity systems should continue to operate uninterrupted during the investigation. 

The aforementioned distinction highlights that the attackers probably targeted administrative or corporate data, not the systems responsible for managing real-time power flo,whichat are responsible for preventing potential disruptions from occurring, which is a critical factor in preventing potentially severe damagSvenska kraftnät must informrms the national law enforcement authorities of the intrusion immediately after it discovers the intrusion and coordinates with the appropriate government agencies to safeguard the infrastructure and cybersecurity of the network. 

As a result of the swift escalation, power grid operators are becoming increasingly regarded as prime targets by ransomware groups, given the strategic and economic leverage they hold. There is a known ransomware gang, Everest, that has claimed responsibility for the attack. This group is notorious for its "double extortion" tactics, in which they encrypt the data of victims while simultaneously threatening to publish the stolen files in the absence of the ransom payment. 

According to cybersecurity experts, this incident has served to underscore the importance of vigilant security governance within critical infrastructure sectors. In terms of countermeasures, it is recommended that robust incident response protocols be activated, as well as users be isolated from compromised systems, and detailed forensic assessments be conducted in order to identify vulnerabilities exploited during the breach. 

The strengthening of the defenders through multi-factor authentication, network segmentation, and the disciplined management of patches is of utmost importance at this time, especially as ransomware operators target flaws in enterprise software products such as VMware vCenter and Ivanti software with increasing frequency. Furthermore, keeping immutable offline backups, making employees aware of phishing and social engineering threats, and leveraging real-time threat intelligence can all help to strengthen resilience against similar attacks in the future. 

Thus, the Svenska kraftnät breach serves both as a warning and a lesson in the ongoing fight against the cyberattacks of modern societies, both in the sense that they serve as a warning and a lesson. In the energy sector, the incident serves as a defining reminder that cybersecurity is no longer only a technical issue, but is also a matter of national resilience. With ransomware actors becoming more sophisticated and audacious, power grid operators have to take a proactive approach and move from reactive defence to predictive intelligence - by adopting continuous monitoring and zero-trust architectures, as well as collaborating with multiple agencies to strengthen digital ecosystems. 

Aside from immediate containment efforts, it will be essential to invest in cybersecurity training, international alliances for information sharing, and next-generation defence technologies to prevent future cyber threats. While alarming, the Svenska kraftnät breach presents a unique opportunity for governments and industries alike to strengthen their digital trust and operational stability by using this breach.
Read more »
Personal Data
cybersecurity threat Data Breach Data Leak Data protection data security Defence Ministry Personal Data

Afghans Report Killings After British Ministry of Defence Data Leak

 

Dozens of Afghans whose personal information was exposed in a British Ministry of Defence (MoD) data breach have reported that their relatives or colleagues were killed because of the leak, according to new research submitted to a UK parliamentary inquiry. The breach, which occurred in February 2022, revealed the identities of nearly 19,000 Afghans who had worked with the UK government during the war in Afghanistan. It happened just six months after the Taliban regained control of Kabul, leaving many of those listed in grave danger. 

The study, conducted by Refugee Legal Support in partnership with Lancaster University and the University of York, surveyed 350 individuals affected by the breach. Of those, 231 said the MoD had directly informed them that their data had been compromised. Nearly 50 respondents said their family members or colleagues were killed as a result, while over 40 percent reported receiving death threats. At least half said their relatives or friends had been targeted by the Taliban following the exposure of their details. 

One participant, a former Afghan special forces member, described how his family suffered extreme violence after the leak. “My father was brutally beaten until his toenails were torn off, and my parents remain under constant threat,” he said, adding that his family continues to face harassment and repeated house searches. Others criticized the British government for waiting too long to alert them, saying the delay had endangered lives unnecessarily.  

According to several accounts, while the MoD discovered the breach in 2023, many affected Afghans were only notified in mid-2025. “Waiting nearly two years to learn that our personal data was exposed placed many of us in serious jeopardy,” said a former Afghan National Army officer still living in Afghanistan. “If we had been told sooner, we could have taken steps to protect our families.”  

Olivia Clark, Executive Director of Refugee Legal Support, said the findings revealed the “devastating human consequences” of the government’s failure to protect sensitive information. “Afghans who risked their lives working alongside British forces have faced renewed threats, violent assaults, and even killings of their loved ones after their identities were exposed,” she said. 

Clark added that only a small portion of those affected have been offered relocation to the UK. The government estimates that more than 7,300 Afghans qualify for resettlement under a program launched in 2024 to assist those placed at risk by the data breach. However, rights organizations say the scheme has been too slow and insufficient compared to the magnitude of the crisis.

The breach has raised significant concerns about how the UK manages sensitive defense data and its responsibilities toward Afghans who supported British missions. For many of those affected, the consequences of the exposure remain deeply personal and ongoing, with families still living under threat while waiting for promised protection or safe passage to the UK.
Read more »
healthcare data breach
Data Breach Data Exfilteration Data protection data security Healthcare Healthcare Breach Healthcare Data healthcare data breach

Conduent Healthcare Data Breach Exposes 10.5 Million Patient Records in Massive 2025 Cyber Incident

 

In what may become the largest healthcare breach of 2025, Conduent Business Solutions LLC disclosed a cyberattack that compromised the data of over 10.5 million patients. The breach, first discovered in January, affected major clients including Blue Cross Blue Shield of Montana and Humana, among others. Although the incident has not yet appeared on the U.S. Department of Health and Human Services’ HIPAA breach reporting website, Conduent confirmed the scale of the exposure in filings with federal regulators. 

The company reported to the U.S. Securities and Exchange Commission in April that a “threat actor” gained unauthorized access to a portion of its network on January 13. The breach caused operational disruptions for several days, though systems were reportedly restored quickly. Conduent said the attack led to data exfiltration involving files connected to a limited number of its clients. Upon further forensic analysis, cybersecurity experts confirmed that these files contained sensitive personal and health information of millions of individuals. 

Affected data included patient names, treatment details, insurance information, and billing records. The company’s notification letters sent to Humana and Blue Cross customers revealed that the breach stemmed from Conduent’s third-party mailroom and printing services unit. Despite the massive scale, Conduent maintains that there is no evidence the stolen data has appeared on the dark web. 

Montana regulators recently launched an investigation into the breach, questioning why Blue Cross Blue Shield of Montana took nearly ten months to notify affected individuals. Conduent, which provides business and government support services across 22 countries, reported approximately $25 million in direct response costs related to the incident during the second quarter of 2024. The company also confirmed that it holds cyber insurance coverage and has notified federal law enforcement. 

The Conduent breach underscores the growing risk of third-party vendor incidents in the healthcare sector. Experts note that even ancillary service providers like mailroom or billing vendors handle vast amounts of protected health information, making them prime targets for cybercriminals. Regulatory attorney Rachel Rose emphasized that all forms of protected health information (PHI)—digital or paper—fall under HIPAA’s privacy and security rules, requiring strict administrative and technical safeguards. 

Security consultant Wendell Bobst noted that healthcare organizations must improve vendor risk management programs by implementing continuous monitoring and stronger contractual protections. He recommended requiring certifications like HITRUST or FedRAMP for high-risk vendors and enforcing audit rights and breach response obligations. 

The incident follows last year’s record-breaking Change Healthcare ransomware attack, which exposed data from 193 million patients. While smaller in comparison, Conduent’s 10.5 million affected individuals highlight how interconnected the healthcare ecosystem has become—and how each vendor link in that chain poses a potential cybersecurity risk. As experts warn, healthcare organizations must tighten vendor oversight, ensure data minimization practices, and develop robust incident response playbooks to prevent the next large-scale PHI breach.
Read more »
Ravin Academy
Data Breach Iranian hackers MOIS Private Data Ravin Academy

Iranian Intelligence-Linked Ravin Academy Suffers Data Breach

 

Ravin Academy, a cybersecurity training center closely linked to Iran's Ministry of Intelligence and Security (MOIS), has suffered a significant data breach that exposed the personal information of over 1,000 individuals enrolled in its technical programs.

The academy, established in 2019, has been described as a recruitment pipeline for Iran's cyber operations and has previously been sanctioned by the U.S., UK, and EU for aiding the country's intelligence activities.

Details of the breach

The breach involved the compromise of personal data, including names, phone numbers, Telegram usernames, and, in some cases, national ID numbers of students and associates. The information was reportedly leaked on an online platform managed by the academy and subsequently made public by UK-based Iranian activist Nariman Gharib, who obtained a copy of the stolen dataset. 

The breach occurred just before Ravin Academy's annual Tech Olympics event, leading the institution to claim the attack was orchestrated to undermine its reputation and harm Iran's cybersecurity ambitions. Ravin Academy has been widely recognized for providing both offensive and defensive cyber training to Iranian intelligence personnel, including courses in red-teaming, malware reverse-engineering, and vulnerability analysis. 

The academy’s founders, Farzin Karimi Mazlganchai and Seyed Mojtaba Mostafavi, are themselves sanctioned by Western governments for their ties to state-sponsored cyber operations. The organization is thought to play a critical role in Iran’s cyber capabilities, contributing to projects that have targeted domestic protests and international adversaries.

Global implications

The breach not only highlights vulnerabilities within Iran’s cyber training infrastructure but also raises concerns over the privacy and security of individuals involved in state-linked cyber programs. Analysts suggest the incident underscores the risks faced by institutions central to national cyber development and the growing sophistication of cyber operations targeting such entities. 

With the leaked data potentially useful for intelligence and counterintelligence purposes, the breach has significant ramifications for both individual privacy and the broader landscape of cyber conflict. This incident serves as a stark reminder of the exposure faced by state-affiliated cyber training programs and the far-reaching consequences of cyber breaches in the realm of international security.
Read more »
Password
Credentials Data Breach Data Leak Gmail Google Infostealer Password

Gmail Credentials Appear in Massive 183 Million Infostealer Data Leak, but Google Confirms No New Breach




A vast cache of 183 million email addresses and passwords has surfaced in the Have I Been Pwned (HIBP) database, raising concern among Gmail users and prompting Google to issue an official clarification. The newly indexed dataset stems from infostealer malware logs and credential-stuffing lists collected over time, rather than a fresh attack targeting Gmail or any other single provider.


The Origin of the Dataset

The large collection, analyzed by HIBP founder Troy Hunt, contains records captured by infostealer malware that had been active for nearly a year. The data, supplied by Synthient, amounted to roughly 3.5 terabytes, comprising nearly 23 billion rows of stolen information. Each entry typically includes a website name, an email address, and its corresponding password, exposing a wide range of online accounts across various platforms.

Synthient’s Benjamin Brundage explained that this compilation was drawn from continuous monitoring of underground marketplaces and malware operations. The dataset, referred to as the “Synthient threat data,” was later forwarded to HIBP for indexing and public awareness.


How Much of the Data Is New

Upon analysis, Hunt discovered that most of the credentials had appeared in previous breaches. Out of a 94,000-record sample, about 92 percent matched older data, while approximately 8 percent represented new and unseen credentials. This translates to over 16 million previously unrecorded email addresses, fresh data that had not been part of any known breaches or stealer logs before.

To test authenticity, Hunt contacted several users whose credentials appeared in the sample. One respondent verified that the password listed alongside their Gmail address was indeed correct, confirming that the dataset contained legitimate credentials rather than fabricated or corrupted data.


Gmail Accounts Included, but No Evidence of a Gmail Hack

The inclusion of Gmail addresses led some reports to suggest that Gmail itself had been breached. However, Google has publicly refuted these claims, stating that no new compromise has taken place. According to Google, the reports stem from a misunderstanding of how infostealer databases operate, they simply aggregate previously stolen credentials from different malware incidents, not from a new intrusion into Gmail systems.

Google emphasized that Gmail’s security systems remain robust and that users are protected through ongoing monitoring and proactive account protection measures. The company said it routinely detects large credential dumps and initiates password resets to protect affected accounts.

In a statement, Google advised users to adopt stronger account protection measures: “Reports of a Gmail breach are false. Infostealer databases gather credentials from across the web, not from a targeted Gmail attack. Users can enhance their safety by enabling two-step verification and adopting passkeys as a secure alternative to passwords.”


What Users Should Do

Experts recommend that individuals check their accounts on Have I Been Pwned to determine whether their credentials appear in this dataset. Users are also advised to enable multi-factor authentication, switch to passkeys, and avoid reusing passwords across multiple accounts.

Gmail users can utilize Google’s built-in Password Manager to identify weak or compromised passwords. The password checkup feature, accessible from Chrome’s settings, can alert users about reused or exposed credentials and prompt immediate password changes.

If an account cannot be accessed, users should proceed to Google’s account recovery page and follow the verification steps provided. Google also reminded users that it automatically requests password resets when it detects exposure in large credential leaks.


The Broader Security Implications

Cybersecurity professionals stress that while this incident does not involve a new system breach, it reinforces the ongoing threat posed by infostealer malware and poor password hygiene. Sachin Jade, Chief Product Officer at Cyware, highlighted that credential monitoring has become a vital part of any mature cybersecurity strategy. He explained that although this dataset results from older breaches, “credential-based attacks remain one of the leading causes of data compromise.”

Jade further noted that organizations should integrate credential monitoring into their broader risk management frameworks. This helps security teams prioritize response strategies, enforce adaptive authentication, and limit lateral movement by attackers using stolen passwords.

Ultimately, this collection of 183 million credentials serves as a reminder that password leaks, whether new or recycled, continue to feed cybercriminal activity. Continuous vigilance, proactive password management, and layered security practices remain the strongest defenses against such risks.


Read more »
User Security
aviation DAA Data Breach Dublin Airport Ireland User Security

Dublin Airport Data Breach Exposes 3.8 Million Passengers

 

Dublin Airport has confirmed a significant data breach affecting potentially 3.8 million passengers who traveled through the Irish facility during August 2025, following a cyberattack on aviation technology supplier Collins Aerospace. The breach compromised boarding pass data for all flights departing Dublin Airport from August 1-31, 2025, a period during which the airport processed over 3.7 million passengers across more than 110,000 daily passenger movements.

The Dublin Airport Authority (DAA), which operates both Dublin and Cork airports, first learned of the compromise on September 18, 2025, when Collins Aerospace notified them of a breach affecting its IT systems. By September 19, intelligence gathered by airport authorities confirmed that boarding pass information had been published online by a cybercriminal group. Cork Airport officials clarified that none of the compromised data relates to flights through their facility.

The exposed data includes passenger booking references, first and last names, frequent flyer numbers, contact information such as email addresses and phone numbers, and travel itineraries. Airlines including Swedish carrier SAS have sent notifications to affected passengers warning that other booking-related details may have been accessed. However, the breach did not involve passport information, payment card details, or other financial data.

The incident is directly linked to the devastating Collins Aerospace ransomware attack that crippled multiple European airports in September 2025. Collins Aerospace's MUSE (Multi-User System Environment) software, which powers check-in and boarding operations at approximately 170 airports globally, fell victim to HardBit ransomware on the night of September 19, 2025. Dublin Airport was particularly hard hit, with officials confirming they had to rebuild servers "from scratch" with no clear timeline for resolution.

Additionally, the Russia-linked Everest ransomware gang has claimed responsibility for a separate attack on Dublin Airport, threatening to leak data of over 1.5 million records on the dark web unless the airport pays a ransom. This claim includes device information, workstation IDs, timestamps, departure dates and times, and barcode formats.

The DAA immediately reported the breach to multiple authorities on September 19, 2025, including the Data Protection Commission (DPC), Irish Aviation Authority, and National Cyber Security Centre. Graham Doyle, Deputy Commissioner at the Data Protection Commission, confirmed the agency is conducting a full investigation into the breach's scope and impact.

Security experts warn that the compromised information provides sufficient detail for sophisticated phishing campaigns, social engineering attacks, frequent flyer account takeover attempts, and identity theft operations targeting affected passengers.
Read more »
Phishing and Spam
Customer Data Customer Data Exposed Dark Web Data Breach Data exposed data security Hackers identity theft risk Phishing and Spam

Toys “R” Us Canada Data Breach Exposes Customer Information, Raising Phishing and Identity Theft Concerns

 

Toys “R” Us Canada has confirmed a data breach that exposed sensitive customer information, including names, postal addresses, email addresses, and phone numbers. Although the company assured that no passwords or payment details were compromised, cybersecurity experts warn that the exposed data could still be exploited for phishing and identity theft schemes. 

The company discovered the breach after hackers leaked stolen information on the dark web, prompting an immediate investigation. Toys “R” Us engaged a third-party cybersecurity firm to conduct forensic analysis and confirm the scope of the incident. Early findings revealed that a “subset of customer records” had been stolen. The retailer began notifying affected customers through official communications, with letters quickly circulating on social media after being shared by recipients.  

According to the company’s statement, the breach did not involve financial information or account credentials, but the exposure of valid contact details still presents significant risk. Cybercriminals often use such data to create convincing phishing emails or impersonate legitimate companies to deceive victims into revealing sensitive information. 

Toys “R” Us stated that its IT systems were already protected by strong security protocols but have since been reinforced with additional defensive measures. The company has not disclosed how the attackers infiltrated its network or how many individuals were impacted. It also confirmed that, to date, there is no evidence suggesting the stolen data has been misused. 

In the aftermath of the incident, Toys “R” Us reported the breach to relevant authorities and advised customers to remain vigilant against phishing attempts. The company urged users not to share personal information with unverified senders, avoid clicking on suspicious links or attachments, and closely monitor any unusual communications that appear to come from the retailer.  

While no hacking group has claimed responsibility for the breach, cybersecurity analysts emphasize that exposed names, emails, and phone numbers can easily be weaponized in future scams. The incident underscores how even non-financial data can lead to significant cybersecurity risks when mishandled or leaked. 

Despite the company’s reassurances and strengthened defenses, the breach highlights the ongoing threat businesses face from cyberattacks that target customer trust and data privacy.
Read more »
Technology
Apple Data Breach dating app security Technology

Apple Removes Controversial Dating Apps After Data Leak and Privacy Violations

 

Apple has removed two dating apps, Tea and TeaOnHer, from the App Store months after a major data breach exposed users’ private information. The removal comes amid continued criticism over the apps’ privacy failures and lack of effective content moderation. 

The controversy started earlier this year when 404 Media reported that Tea, described as a dating and safety app, had leaked sensitive data, including driver’s licenses and chat histories. 

The exposed information was traced to an unsecured database and later appeared on the forum 4chan. Despite the breach, the app briefly gained popularity and reached the top of the App Store charts, driven by widespread online attention. 

TechCrunch reported that Apple confirmed the removal of both apps, citing multiple violations of its App Store Review Guidelines. The company pointed to sections 1.2, 5.1.2, and 5.6, which address objectionable content, data protection, and excessive negative user feedback. 

Apple also received a large number of complaints and low ratings, including reports that personal information belonging to minors had been shared on the platforms. According to Apple, the developers were notified of the issues and given time to make improvements, but no adequate action was taken. 

The gap between the initial reports of the data leak and the eventual removal likely reflects this period of review and attempted remediation. The incident highlights ongoing challenges around privacy and user safety in dating apps, which often collect and store large amounts of personal data. 

While Apple enforces rules intended to protect users, the case raises questions about how quickly and effectively those rules are applied when serious privacy risks come to light. The removal of Tea and TeaOnHer underscores the growing scrutiny facing apps that fail to secure user information or moderate harmful content.
Read more »
VPN vulnerabilities
Akira Ransomware APAC Cybercrime cyber resilience Cybersecurity Threats Data Breach Network Security ransomware attacks SonicWall Exploit VPN vulnerabilities

Growing VPN Exploits Trigger Fresh Ransomware Crisis in APAC


 

Despite the growing cyber risk landscape in Asia-Pacific, ransomware operations continue to tighten their grip on India and the broader region, as threat actors more often seek to exploit network vulnerabilities and target critical sectors in order to get a foothold in the region. 

It is essential to note that Cyble's Monthly Threat Landscape Report for July 2025 highlights a concerning trend: cybercriminals are no longer merely encrypting systems for ransom; they are systematically extracting sensitive information, selling network access, and exposing victims to the public in underground marketplaces. 

In recent weeks, India has been a focal point of this escalation, with a string of damaging breaches taking place across a number of key industries. Recently, the Warlock ransomware group released sensitive information concerning a domestic manufacturing company. This information included employee records, financial reports, and internal HR files. Parallel to this, two Indian companies – a technology consulting firm and a SaaS provider – have been found posting stolen data on dark web forums that revealed information on customers, payment credentials, and server usage logs. 

Further compounding the threat, the report claims that credentials granting administrative control over an Indian telecommunications provider’s infrastructure were being sold for an estimated US$35,000 as a way of monetizing network intrusions, highlighting the increasing monetization of network hacking. 

Throughout the region, Thailand, Japan, and Singapore are the most targeted nations for ransomware, followed by India and the Philippines, with manufacturing, government, and critical infrastructure proving to be the most targeted sectors. As the region's digital volatility continues, the pro-India hacktivist group Team Pelican Hackers has been claiming responsibility for hacking multiple Pakistani institutions and leaking sensitive academic data and administrative data related to research projects, which demonstrates that cyber-crime is going beyond financial motives in order to serve as a form of geopolitical signaling in the region. 

Security experts across the region are warning about renewed exploitation of SonicWall devices by threat actors linked to the Akira ransomware group among a growing number of ransomware incidents that have swept across the region. Since the resurgence of Akira's activity occurred in late July 2025, there has been a noticeable increase in intrusions leveraging SonicWall appliances as entry points. Rapid7 researchers have documented this increase.

An attacker, according to the firm, is exploiting a critical vulnerability that dates back a year—identified as CVE-2024-40766 with a CVSS score of 9.3—that is linked to a vulnerability in the SSL VPN configuration on the device. It is clear that this issue, which led to local user passwords persisting rather than being reset after migration, has provided cybercriminals with a convenient way to compromise network defenses. 

It was SonicWall who acknowledged the targeted activity, and confirmed that malicious actors were attempting to gain unauthorized access to the network using brute force. According to the company, administrators should activate Botnet Filtering for the purpose of blocking known malicious IP addresses as well as enforce strict Account Lockout policies to take immediate measures. As ransomware campaigns that exploit VPN vulnerabilities continue to increase, proactive security hygiene is becoming increasingly important. 

The increasing cybercrime challenges in the Asia-Pacific region are being exacerbated by recent findings from Barracuda's SOC Threat Radar Report, which indicate a significant increase in attacks exploiting vulnerabilities in VPN infrastructures and Microsoft 365 accounts. Throughout the study, threat actors are becoming increasingly stealthy and adopting Python-based scripts to avoid detection and maintain persistence within targeted networks in order to evade detection. 

It has been determined that the Akira ransomware syndicate has increased its operations significantly, compromising outdated or unpatched systems rapidly, leading to significant losses for the syndicate. A number of intrusions have been traced back to exploitation of a known flaw in SonicWall VPN appliances — CVE-2024-40766 — that allows attackers to manipulate legacy credentials that haven’t been reset after migration as a result of this flaw. 

A month ago, there was a patch released which addressed the issue. However, many organizations across the APAC region have yet to implement corrective measures, leaving them vulnerable to renewed exploitation in the coming months. In multiple instances, Akira operators have been observed intercepting one-time passwords and generating valid session tokens using previously stolen credentials, effectively bypassing multi-factor authentication protocols, even on patched networks. 

In order to achieve such a level of sophistication, the group often deploys legitimate remote monitoring and management tools in order to disable security software, wipe backups, and obstruct remediation attempts, allowing the group to effectively infiltrate systems without being detected. There has been a sustained outbreak of such attacks in Australia and other Asian countries, which indicates how lapses in patch management, the use of legacy accounts, and the unrotation of high-privilege credentials continue to amplify risk exposure, according to security researchers. 

There is no doubt that a prompt application of patches, a rigorous password reset, and a strict credential management regime are crucial defenses against ransomware threats as they evolve. There is no doubt that manufacturing is one of the most frequently targeted industries in the Asia-Pacific region, as more than 40 percent of all reported cyber incidents have been related to manufacturing industries. 

Several researchers attribute this sustained attention to the sector's intricate supply chains, its dependence on outdated technologies, and the high value of proprietary data and intellectual property that resides within operational networks, which makes it a target for cybercriminals. It has been common for attackers to exploit weak server configurations, steal credentials, and deploy ransomware to disrupt production and gain financial gain by exploiting weak server configurations. 

Approximately 16 percent of observed attacks occurred in the financial sector and insurance industry, with adversaries infiltrating high-value systems through sophisticated phishing campaigns and malware. The purpose of these intrusions was not only to steal sensitive information, such as customer and payment information, but also to maintain persistent access for prolonged reconnaissance. 

Among the targeted entities, the transportation industry, which accounts for around 11 percent of all companies targeted, suffered from an increase in attacks intended to disrupt logistics and operational continuity as a consequence of its reliance on remote connectivity and third-party digital infrastructure as a consequence of its heavy reliance on remote connectivity. 

In the wider APAC context, cybercriminals are increasingly pursuing both operational and financial goals in these attacks, aiming to disrupt as well as monetize. It is still very common for threats actors to steal trade secrets, customer records, and confidential enterprise information, making data theft one of the most common outcomes of these attacks. 

Despite the fact that credential harvesting is often facilitated by malware that steals information from compromised systems, this method of extorting continues to enable subsequent breaches and lateral movements within compromised systems. Furthermore, the extortion-based operation has evolved, with many adversaries now turning to non-encrypting extortion schemes for coercing victims, rather than using ransomware encryption to coerce victims, emphasizing the change in cyber threats within the region. 

Several experts have stressed that there is no substitute for a multilayered and intelligence-driven approach to security in the Asia-Pacific region that goes beyond conventional security frameworks in order to defend against the increasing tide of ransomware. Static defenses are not sufficient in an era in which threat actors have evolved their tactics in a speed and precision that is unprecedented in history. 

A defence posture that is based on intelligence must be adopted by organizations, continuously monitoring the tactics, techniques, and procedures used by ransomware operators and initial access brokers in order to identify potential intrusions before they arise. As modern "sprinter" ransomware campaigns have been exploiting vulnerabilities within hours of public disclosure, agile patch management is a critical part of this approach.

There is no doubt that timely identification of vulnerable systems and remediation of those vulnerabilities, as well as close collaboration with third party vendors and suppliers to ensure consistency in patching, are critical components of an effective cyber hygiene program. It is equally important to take human factors into consideration. 

The most common attack vector that continues to be exploited is social engineering. Therefore, it is important to conduct continuous awareness training tailored to employees who are in sensitive or high-privilege roles, such as IT and helpdesk workers, to reduce the potential for compromise. Furthermore, security leaders advise organizations to adopt a breach-ready mindset, which means accepting the possibility of a breach of even the most advanced defenses.

If an attack occurs, containing damage and ensuring continuity of operations can be achieved through the use of network segmentation, immutable data backups, and a rigorously tested incident response plan to strengthen resilience. Using actionable intelligence combined with proactive risk management, as well as developing a culture of security awareness, APAC enterprises can be better prepared to cope with the relentless wave of ransomware threats that continue to shape the digital threat landscape and recover from them. 

A defining moment in the Asia-Pacific cybersecurity landscape is the current refinement of ransomware groups' tactics as they continue to exploit every weakness in enterprise defenses. Those recent incidents of cyber-attacks using VPNs and data exfiltration incidents should serve as a reminder that cyber resilience is no longer just an ambition; it is a business imperative as well. Organizations are being encouraged to shift away from reactive patching and adopt a culture that emphasizes visibility, adaptability, and intelligence sharing as the keys to continuous security maturity. 

Collaboration between government, the private sector, and the cybersecurity community can make a significant contribution to the development of early warning systems and collective response abilities. A number of measures can help organizations detect threats more efficiently, enforce zero-trust architectures, and conduct regular penetration tests, which will help them identify any vulnerabilities before adversaries take advantage of them. 

Increasingly, digital transformation is accelerating across industries, which makes the importance of integrating security by design—from supply chains to cloud environments—more pressing than ever before. Cybersecurity can be treated by APAC organizations as an enabler rather than as a compliance exercise, which is important since such enterprises are able to not only mitigate risks, but also build digital trust and operational resilience during an age in which ransomware threats are persistent and sophisticated.
Read more »
Financial Data Breach
Cyberattacks Data Breach Data exposed data security Encryption Security Financial Data Financial Data Breach

FinWise Data Breach Exposes Insider Threats, Highlights Need for Strong Encryption and Key Management

 

The 2024 FinWise data breach underscores the rising risk of insider threats within financial institutions. Unlike cyberattacks initiated by external hackers, this breach resulted from unauthorized access by a former employee who retained system credentials after leaving the company. On May 31, 2024, the ex-employee accessed FinWise Bank’s internal systems and leaked personal information of approximately 689,000 customers of American First Finance (AFF). The breach went unnoticed for more than a year, until FinWise discovered it on June 18, 2025. This prolonged exposure period raises serious concerns about the bank’s internal monitoring and incident detection capabilities. 

Legal complaints against FinWise allege that the compromised data was inadequately encrypted, intensifying public scrutiny and regulatory pressure. Security experts emphasize that effective information protection involves more than encrypting financial data; it requires continuous monitoring, abnormal access detection, and secure key management. FinWise’s alleged failure to deploy these essential safeguards has led to lawsuits and reputational damage. While the bank has yet to disclose details about its encryption protocols, experts agree that encryption alone cannot protect data without proper implementation and access controls. 

The incident highlights how encryption serves as a final layer of defense, but its effectiveness depends on complementary systems like key management and access control. Proper encryption management could have minimized the risk of data exposure, even after unauthorized access. In this context, Penta Security’s D.AMO encryption platform has gained renewed attention as an all-in-one defense solution against such vulnerabilities. 

D.AMO, South Korea’s first packaged encryption solution launched in 2004, integrates encryption, granular access control, and an independent key management system (KMS). Trusted by over 10,000 clients across the finance, public, and enterprise sectors, D.AMO ensures data confidentiality while maintaining operational efficiency. It supports multiple encryption methods and selective column-level encryption, reducing system slowdown without compromising data protection. 

The platform’s key management system, D.AMO KMS, operates as a dedicated hardware appliance that keeps encryption keys separate from the data they protect. By dividing the roles of database and security administrators, D.AMO prevents unauthorized individuals—including insiders—from accessing both encrypted data and the keys simultaneously. Even if an attacker breaches the database, the absence of decryption keys renders the stolen data unusable. 

Additionally, D.AMO Control Center provides centralized management across an organization’s encryption systems. It allows administrators to monitor logs, enforce role-based access controls, and manage permissions to reduce insider misuse. This centralized visibility helps institutions detect unusual behavior early and maintain compliance with international data security regulations such as PCI-DSS, GDPR, and CCPA. 

The FinWise breach serves as a cautionary tale about the consequences of weak encryption governance and insufficient access monitoring. It demonstrates that robust data protection requires a proactive, multi-layered approach integrating encryption, key management, and centralized oversight. Penta Security’s D.AMO platform embodies this strategy, offering institutions a unified solution to mitigate both external and insider threats. For organizations managing sensitive customer information, implementing comprehensive encryption frameworks is no longer optional—it is essential for preserving trust, compliance, and long-term security resilience.
Read more »
Prosper Marketplace
Data Breach financial data leak fintech security breach Prosper cybersecurity incident Prosper data exposure Prosper Marketplace

Prosper Marketplace Cybersecurity Breach Exposes Data of 17 Million Users, Sparks Renewed Fintech Security Concerns

 

Prosper Marketplace has confirmed a major cybersecurity breach that compromised the personal data of over 17 million users, underscoring the persistent challenges faced by financial institutions in protecting sensitive consumer information.

According to the peer-to-peer lending firm, an unauthorized actor gained access to internal systems earlier this month by exploiting compromised administrative credentials. While Prosper emphasized that no bank account details or passwords were affected, exposed data included names, Social Security numbers, and income information—posing serious identity theft risks and fresh security challenges for financial sector CISOs.

The company said it swiftly contained the breach and initiated a full-scale investigation with the help of external cybersecurity experts. Prosper also began notifying affected users and regulators while offering free credit monitoring to those impacted. Though its financial and lending operations remained secure, the incident highlights how stolen or misused credentials continue to endanger fintech organizations.

Prosper’s incident FAQ revealed that the company detected unauthorized system access in early September and immediately took affected servers offline to prevent further compromise. Investigators discovered that an attacker used administrative credentials to reach a database containing both customer and applicant data. Prosper stated that it has since reinforced its security monitoring and implemented enhanced safeguards across all systems.

The company stressed that its lending and payment systems were not affected and found no signs of misuse involving account balances or login details. Notifications were issued in compliance with state and federal requirements, and Prosper is cooperating with law enforcement and cybersecurity authorities as the investigation continues.

The company estimated that approximately 17.6 million users were affected. Independent cybersecurity firm OffSeq Radar suggested the number of exposed records could be even higher, citing additional forensic evidence. The compromised data reportedly includes Social Security numbers, income details, and contact information, but no payment credentials or passwords.

Malwarebytes supported Prosper’s reported timeline, noting that while the leaked data has not yet surfaced on public forums, it could still be exploited for targeted phishing attacks or identity fraud.

The Register reported that Prosper’s internal probe confirmed unauthorized system access and prompted efforts to tighten its overall security framework. The outlet noted that the incident, contained by early September, underscores how credential security and database protection remain ongoing risks for fintech companies.

For cybersecurity leaders, the Prosper breach reinforces the critical need for multi-factor authentication, privileged access audits, and thorough logging. Experts continue to advocate for zero-trust frameworks, continuous monitoring, and data loss prevention strategies to limit exposure. Governance and transparency are increasingly essential alongside technology investments to maintain digital trust with consumers.

Beyond consumer protection concerns, the breach spotlights operational and reputational threats for fintech firms. With more organizations relying on hybrid cloud environments, administrative access points have become prime targets. Without robust segmentation and least-privilege policies, a single compromised account can result in massive data exposure.

Regulators are also tightening expectations around breach notification timelines, compelling firms to improve detection, automate incident responses, and maintain compliance readiness. Even contained events, such as Prosper’s, can disrupt customer confidence and regulatory standing.

Key Takeaways for Security Leaders

Credential-based attacks remain among the hardest to prevent and the costliest to manage. To strengthen defenses and readiness, experts recommend:

  • Limiting administrative credentials and conducting regular privilege audits.
  • Reviewing encryption, segmentation, and monitoring policies across all systems.
  • Reassessing third-party data-sharing and integration risks.

True resilience, experts say, requires more than technology upgrades—it demands proactive identity threat detection, frequent tabletop exercises, and strong governance. The Prosper breach serves as a reminder that visibility, preparation, and zero-trust principles are essential foundations for long-term cybersecurity strength.
Read more »
Prosper hack
Data Breach data breach September 2025 identity theft protection Prosper Prosper customer data leak Prosper hack

Prosper Data Breach Exposes 17.6 Million Users’ Personal Information — Company Offers Free Credit Monitoring

 

Prosper, the popular peer-to-peer lending platform that connects borrowers with investors, suffered a major data breach on September 2nd. According to details shared on the company’s official FAQ page, the incident was caused by “unauthorized queries made on company databases that store customer and applicant data,” which allowed attackers to gain access to sensitive personal information.

The compromised data reportedly includes names, Social Security numbers, government-issued IDs, employment and credit details, income levels, birth dates, home addresses, IP addresses, and browser user-agent information. However, Prosper confirmed that no customer accounts or funds were accessed, and the company’s operations remained unaffected.

While Prosper has not revealed the total number of affected users, cybersecurity outlet BleepingComputer reported that as many as 17.6 million unique email addresses were involved in the breach.

This stolen data presents a serious risk of phishing scams and identity theft, as cybercriminals could use it to impersonate victims or gain unauthorized access to financial accounts. Prosper is currently offering free credit monitoring to affected users and encourages both current and former customers to reach out for further details on what specific information was exposed.

Experts recommend that affected users immediately update passwords for their Prosper account and any connected financial platforms. Choosing strong, unique passwords for each account—and using a password manager to store them securely—is strongly advised.

Additionally, users should enable two-factor or multi-factor authentication wherever possible, as it provides an essential layer of defense against unauthorized access. Remain cautious of phishing attempts, particularly emails or texts requesting personal information or prompting unexpected downloads.

Finally, individuals concerned about potential misuse of their data should consider enrolling in identity theft monitoring services. These tools can alert you to suspicious activity related to your Social Security number, financial accounts, or other sensitive personal details.
Read more »
Oracle E-Business Suite
American Airlines cyberattack Clop Ransomware Data Breach Data Leak Envoy Air data breach Oracle E-Business Suite

Envoy Air Confirms Oracle Data Breach After Clop Ransomware Group Lists American Airlines on Leak Site

 

kEnvoy Air, a regional carrier owned by American Airlines, has confirmed that data from its Oracle E-Business Suite application was compromised following claims by the Clop extortion group, which recently listed American Airlines on its data leak site.

"We are aware of the incident involving Envoy's Oracle E-Business Suite application," Envoy Air told BleepingComputer.

"Upon learning of the matter, we immediately began an investigation and law enforcement was contacted. We have conducted a thorough review of the data at issue and have confirmed no sensitive or customer data was affected. A limited amount of business information and commercial contact details may have been compromised."

Envoy Air operates regional flights for American Airlines under the American Eagle brand. Although it functions as a separate entity, its operations are closely integrated with American’s systems for ticketing, scheduling, and passenger services.

The Clop ransomware group has begun leaking what it claims to be stolen Envoy data, posting the message: “The company doesn’t care about its customers, it ignored their security!!!” This breach is tied to a wider campaign that began in August, in which Clop targeted Oracle E-Business Suite systems and began sending extortion demands to affected companies in September.

Initially, Oracle said that attackers were exploiting vulnerabilities patched in July. However, the company later confirmed that the threat actors took advantage of a previously unknown zero-day flaw, now identified as CVE-2025-61882.

Cybersecurity firms CrowdStrike and Mandiant later reported that Clop exploited the flaw in early August to infiltrate networks and install malware. While the total number of victims remains unclear, Google’s John Hultquist told BleepingComputer that “dozens of organizations” were affected.

The extortion gang is also targeting Harvard University as part of the same operation. The university confirmed to BleepingComputer that the breach affected “a limited number of parties associated with a small administrative unit.”

Adding to the concerns, Oracle quietly patched another zero-day flaw—CVE-2025-61884—in its E-Business Suite last week, which had been actively exploited since July 2025. The exploit was reportedly leaked by the Shiny Lapsus$ Hunters group on Telegram.

American Airlines has previously faced data breaches in 2022 and 2023, which exposed employee personal data.

Who is Clop?

The Clop ransomware group, also known as TA505, Cl0p, or FIN11, has been active since 2019. It initially used a variant of the CryptoMix ransomware to infiltrate corporate networks and steal information.

Since 2020, the group has shifted its focus to exploiting zero-day vulnerabilities in file transfer and data storage platforms. Notable campaigns include:

  • 2020: Accellion FTA zero-day attack impacting nearly 100 companies
  • 2021: SolarWinds Serv-U FTP zero-day exploit
  • 2023: GoAnywhere MFT zero-day breach affecting 100+ firms
  • 2023: MOVEit Transfer campaign, their largest to date, compromising data from 2,773 organizations worldwide
  • 2024: Exploited Cleo file transfer zero-days (CVE-2024-50623 and CVE-2024-55956) for data theft and extortion

The U.S. State Department is currently offering a $10 million reward for information linking Clop’s ransomware operations to any foreign government.
Read more »
Sotheby
Data Breach Employee Data Financial Information Ransomware Sotheby

Sotheby’s Investigates Cyberattack That Exposed Employee Financial Information

 



Global auction house Sotheby’s has disclosed that it recently suffered a data breach in which cybercriminals accessed and extracted files containing sensitive information. The company confirmed that the security incident, detected on July 24, 2025, led to unauthorized access to certain internal data systems.

According to a notification filed with the Maine Attorney General’s Office, the compromised records included details such as full names, Social Security Numbers (SSNs), and financial account information. While the filing listed only a few individuals from the states of Maine and Rhode Island, the overall number of people affected by the breach has not been publicly confirmed.

Sotheby’s stated that once the intrusion was identified, its cybersecurity team immediately launched a detailed investigation, working alongside external security experts and law enforcement authorities. The process reportedly took nearly two months as the company conducted a comprehensive audit to determine what type of information was taken and whose data was affected.

In its notice to those impacted, the company wrote that certain Sotheby’s data “appeared to have been removed from our environment by an unknown actor.” It added that an “extensive review of the data” was carried out to identify the affected records and confirm the individuals connected to them.

As a precautionary measure, Sotheby’s is offering affected individuals 12 months of free identity protection and credit monitoring services through TransUnion, encouraging them to register within 90 days of receiving the notification letter.

Initially, it was unclear whether the compromised data involved employees or clients. However, in an update on October 17, 2025, Sotheby’s clarified in a statement to BleepingComputer that the breach involved employee information, not customer data. The company emphasized that it took the incident seriously and immediately involved external cybersecurity experts to support the response and remediation process.

“Sotheby’s discovered a cybersecurity incident that may have involved certain employee information,” a company spokesperson said in an official statement. “Upon discovery, we promptly began an investigation with leading data protection specialists and law enforcement. The company is notifying all impacted individuals as required and remains committed to protecting the integrity of its systems and data.”

Sotheby’s is among the world’s most recognized auction houses, dealing in high-value art and luxury assets. In 2024, the firm recorded total annual sales of nearly $6 billion, highlighting the scale and sensitivity of the data it manages, including financial and transactional records.

Although no ransomware groups have claimed responsibility for this breach so far, similar attacks have previously targeted high-end auction platforms. In 2024, the RansomHub gang allegedly breached Christie’s, stealing personal data belonging to an estimated 500,000 clients. Such incidents indicate that cybercriminals increasingly view global art institutions as lucrative targets due to the financial and personal data they store.

This is not the first time Sotheby’s has dealt with cybersecurity issues. Between March 2017 and October 2018, the company’s website was compromised by a malicious web skimmer designed to collect customer payment information. A comparable supply-chain attack in 2021 also led to unauthorized access to sensitive data.

The latest breach reinforces the growing risks faced by major cultural and financial institutions that handle valuable client and employee data. As investigations continue, Sotheby’s has urged affected individuals to remain vigilant, review their financial statements regularly, and immediately report any suspicious activity to their bank or credit institution.


Read more »
phishing
Bitwarden Data Breach LastPass Master Password phishing

Fake Breach Alerts Target LastPass and Bitwarden Users to Hijack PCs

 

An ongoing phishing campaign is targeting users of LastPass and Bitwarden with fake breach alerts designed to install remote access tools on victims’ systems. The emails falsely claim that both password managers suffered security incidents and urge users to download a “more secure” desktop application to protect their data.

LastPass confirmed it was not hacked and labeled the messages as social engineering attempts meant to create urgency and prompt users to install malicious software. The campaign began over a holiday weekend to exploit reduced IT staffing and delay detection. Fake emails were sent from domains like hello@lastpasspulse[.]blog and hello@lastpasjournal[.]blog, mimicking official communication.

Similarly, Bitwarden users received nearly identical messages from hello@bitwardenbroadcast.blog, using the same urgent tone and lure of a secure desktop app update. Cloudflare has since blocked the phishing landing pages, identifying them as malicious.

The downloaded binaries install Syncro, a legitimate remote monitoring and management (RMM) tool, which then deploys ScreenConnect to enable remote access to the infected device. The Syncro agent is configured to hide its system tray icon and check in with the attacker’s server every 90 seconds, maintaining stealth. It disables security agents from Emsisoft, Webroot, and Bitdefender and avoids deploying other bundled tools like Splashtop or TeamViewer, focusing solely on gaining remote control.

Once connected via ScreenConnect, attackers can deploy additional malware, exfiltrate data, and access stored credentials from password managers. Syncro clarified that its platform was not breached; instead, attackers created a fraudulent MSP account to abuse the service. A separate phishing wave targeted 1Password users with similar tactics, redirecting them to onepass-word[.]com through a malicious email sent from watchtower@eightninety[.]com. 

Cybersecurity experts stress that users should never respond to such alerts via email and should verify security news only through official company websites and communications. Companies do not request master passwords, and any such demand is a definitive sign of phishing.
Read more »
User Privacy
Data Breach Fashion Retailer MANGO Spain User Privacy

MANGO Marketing Vendor Breach Exposes Customer Contact Details

 

MANGO, the Spanish fashion retailer, has disclosed a data breach affecting customer information due to a cyberattack on one of its external marketing service providers. The incident, revealed on October 14, 2025, involved unauthorized access to personal data used in marketing campaigns, prompting the company to notify affected customers directly.

The compromised data includes customers' first names, country of residence, postal codes, email addresses, and telephone numbers. Notably, sensitive details such as last names, banking information, credit card data, government-issued IDs, passports, and account credentials were not accessed, reducing the risk of financial fraud. Despite this, the exposed information could be leveraged by threat actors for targeted phishing campaigns, where attackers impersonate legitimate entities to trick individuals into revealing further personal or financial data.

MANGO emphasized that its corporate infrastructure and internal IT systems remained unaffected, with no disruption to business operations. The company confirmed that all security protocols were activated immediately upon detection of the breach at the third-party vendor, although the name of the compromised marketing partner has not been disclosed.

In response, MANGO has reported the incident to the Spanish Data Protection Agency (AEPD) and other relevant regulatory authorities, in compliance with data protection regulations. To assist concerned customers, the company has established a dedicated support channel, including an email address (personaldata@mango.com) and a toll-free hotline (900 150 543), where individuals can seek clarification and guidance regarding potential exposure.

Founded in 1984 and headquartered in Barcelona, MANGO operates over 2,800 physical and e-commerce stores across 120 countries. It employs approximately 16,300 people and generates an annual revenue of €3.3 billion, with nearly 30% derived from online sales. While the breach does not impact core business systems, the incident highlights the growing risks associated with third-party vendors in digital supply chains, particularly in the retail and fashion sectors that rely heavily on external marketing and customer engagement platforms.

At the time of reporting, no ransomware group has claimed responsibility for the attack, and the identity of the attackers remains unknown. Local media outlets reached out to MANGO for further details on the scope and technical aspects of the breach but had not received a response by publication.
Read more »
SimonMed
Data Breach Medusa Ransomware Patient Data SimonMed

SimonMed Imaging reports data breach affecting over 1.2 million patients

 




U.S.-based medical imaging provider SimonMed Imaging has disclosed a cybersecurity incident that compromised the personal data of more than 1.2 million patients earlier this year. The company, which operates nearly 170 diagnostic centers across 11 states, specializes in radiology and imaging services such as MRI, CT scans, X-rays, ultrasounds, and mammography.


Details of the breach 

According to information shared with regulators, unauthorized individuals gained access to SimonMed’s internal systems between January 21 and February 5, 2025. The breach came to light on January 27, when one of SimonMed’s third-party vendors reported a security incident that also affected the company. An internal investigation confirmed suspicious network activity the following day.

SimonMed stated that once the attack was detected, the organization acted swiftly to contain the intrusion. Measures included resetting employee passwords, activating multifactor authentication, adding endpoint detection and response (EDR) tools, cutting off third-party vendors’ direct system access, and restricting external network connections to only verified sources. Law enforcement authorities were notified, and cybersecurity specialists were brought in to assist in the investigation and recovery process.


Data possibly exposed

While SimonMed has not disclosed the full scope of data accessed by the attackers, the company confirmed that patients’ full names were among the exposed information. Given the type of data typically stored in radiology systems, the breach may also involve sensitive records such as identification details, medical reports, and financial information.

As of October 10, SimonMed reported finding no evidence that the compromised data has been used for fraud or identity theft. Affected individuals have been offered free identity theft protection services through Experian as a precautionary step.


Ransomware group claims responsibility

Shortly after the breach, the Medusa ransomware group claimed responsibility, listing SimonMed on its leak site on February 7. The group alleged that it had stolen 212 gigabytes of data and released a small sample online as proof. The leaked files reportedly contained ID scans, patient information spreadsheets, billing details, and diagnostic reports.

Medusa demanded a ransom of $1 million, along with an additional $10,000 fee for each day the company delayed payment before full data disclosure. SimonMed’s name has since been removed from the group’s website, which often suggests that negotiations may have taken place. However, the company has not confirmed whether any ransom payment was made.


Growing threat to healthcare organizations

The Medusa ransomware operation, which surfaced in 2023, has been linked to several high-profile attacks on critical infrastructure, including the Minneapolis Public Schools and Toyota Financial Services. In March 2025, the FBI, CISA, and MS-ISAC jointly warned healthcare and education organizations about Medusa’s ongoing targeting campaigns.

Cybersecurity experts emphasize that healthcare institutions remain vulnerable due to the volume of sensitive data they handle. Experts recommend strengthening authentication protocols, monitoring system activity, and maintaining up-to-date security measures to minimize the risk of future incidents.


Read more »
Subscribe to: Comments (Atom)