Search This Blog

Powered by Blogger.

Blog Archive

Labels

About Me

Showing posts with label Data Breach. Show all posts

Axis Max Life Cyberattack: A Warning to the Indian Insurance Sector

 

On July 2, 2025, Max Financial Services revealed a cybersecurity incident targeting its subsidiary, Axis Max Life Insurance, India's fifth-largest life insurer. This incident raises severe concerns regarding data security and threat detection in the Indian insurance sector. 

The breach was discovered by an unknown third party who notified Axis Max Life Insurance of the data access, while exact technical specifics are still pending public release. In response, the company started: 

  • Evaluation of internal security 
  • Log analysis 
  • Consulting with cybersecurity specialists for investigation and remediation 

Data leaked during the breach 

The firm accepted that some client data could have been accessed, but no specific data types or quantities were confirmed at the time of the report. Given the sensitive nature of insurance data, the exposed data could include: 

  • Personally identifiable information (PII). 
  • Financial/Insurance Policy Data Contact and health information (common for life insurers) 

This follows a recent trend of PII-focused assaults on Indian insurers (e.g., Niva Bupa, Star Health, HDFC Life), indicating an increased threat to consumer data. 

Key takeaways

Learning of a breach from an anonymous third party constitutes a serious failure in internal threat identification and monitoring. Implement real-time threat detection across endpoints, servers, and cloud platforms with SIEM, UEBA, and EDR/XDR to ensure that the organisation identifies breaches before external actors do. 

Agents, partners, and tech vendors are frequently included in insurance ecosystems, with each serving as a possible point of compromise. Extend Zero Trust principles to all third-party access, requiring tokenised, time-limited access and regular security evaluations of suppliers with data credentials. 

Mitigation tips 

  • Establish strong data inventory mapping and access logging, particularly in systems that store personally identifiable information (PII) and financial records. 
  • Have a pre-established IR crisis communication architecture that is linked with legal, regulatory, and consumer response channels that can be activated within hours. 
  • Continuous vulnerability scanning, least privilege policies, and red teaming should be used to identify exploitable holes at both the technical and human layers. 
  • Employ continuous security education, necessitate incident reporting processes, and behavioural monitoring to detect policy violations or insider abuse early.

Crypto Theft Hits $2 Billion in 2025: A Growing Threat to Digital Finance

 


In the first six months of 2025, the cryptocurrency sector has suffered thefts exceeding $2 billion, marking the highest ever recorded for this period. The findings, based on verified research from industry watchdogs, highlight a sharp rise in both the frequency and scale of digital asset breaches.


Surge in Attacks: Over 75 Major Incidents

Between January and June, at least 75 confirmed hacks and exploits were reported. These incidents collectively amounted to around $2.1 billion in losses, surpassing previous mid-year records. Losses of over $100 million occurred in multiple months, indicating that the threat is persistent and widespread, not isolated to one-off events.


A Single Breach Makes Up Majority of Losses

One particular cyberattack early in the year stood out for its scale. In February 2025, a high-profile breach of a crypto exchange caused losses estimated at $1.5 billion, accounting for nearly 70% of total thefts in the first half of the year. This incident has skewed the average size of each attack upward to $30 million, double what it was during the same period last year. However, large-scale thefts have continued even outside this major event, showing a broader trend of growing risk.


Geopolitical Dimensions: Government-Linked Groups Involved

Cybercrime experts have attributed a substantial share of these losses—approximately $1.6 billion to attackers allegedly tied to nation-states. Analysts suggest these operations may be used to bypass economic restrictions or finance state agendas. The involvement of politically motivated groups points to the increasingly strategic nature of cyber theft in the crypto space.

A separate incident in June targeted a leading exchange in the Middle East, resulting in nearly $90 million in losses. Investigators believe this attack may have had symbolic motives, as funds were transferred to unusable wallets, hinting it wasn’t purely financially driven.


Methods of Attack: Internal Weaknesses Prove Costly

Reports reveal that infrastructure-based breaches, such as stolen private keys, employee collusion, and vulnerabilities in user-facing systems were responsible for over 80% of the losses. These types of attacks tend to cause far more financial damage than technical bugs in blockchain code.

While smart contract vulnerabilities, including re-entrancy and flash loan exploits, still pose risks, they now represent a smaller share of total thefts. This is partly due to quicker response times and faster security patching in decentralized protocols.


Industry Response: The Call for Stronger Security

Experts are urging all crypto companies to reinforce their defenses. Key recommendations include storing assets offline (cold storage), using multi-factor authentication for all access points, and conducting regular audits. Addressing insider threats and improving staff awareness through training is also critical.

Additionally, collaboration between law enforcement agencies, financial crime units, and blockchain analysts has been identified as essential. Timely sharing of data and cross-border tracking could prove vital in curbing large-scale thefts as digital assets become more intertwined with national security concerns.

Ahold Delhaize USA Faces Data Breach Exposing Sensitive Information

In an announcement published by Ahold Delhaize, a leading global food retailer, the company confirmed that a significant data breach has compromised the personal information of over 2.2 million people across several countries. 

With nearly 10,000 stores located across Europe, the United States, and Indonesia, the company serves more than 60 million customers every week from all over the world, employing approximately 400,000 people. The office of the Maine Attorney General received a formal disclosure from Ahold Delhaize USA on Thursday, which stated that 2,242,521 individuals had been affected by a cybersecurity incident but did not disclose the extent of the breach to date. 

According to preliminary indications, the breach may have affected a wide range of sensitive personal information aside from usernames and passwords. Information that is potentially compromised may include the full name, residential address, date of birth, identification numbers issued by the government, financial account information, and even protected health information. 

Clearly, the scale and nature of this incident demonstrate that large multinational retailers are faced with a growing number of risks and that there is a need for improved cybersecurity measures to be taken in the retail industry. There was a cyber incident in late 2024 that was officially acknowledged by Ahold Delhaize USA last week. Ahold Delhaize USA has acknowledged this incident, revealing that the personal data of more than 2.2 million individuals may have been compromised as a result. 

According to an official FAQ, based on current findings, the company does not believe that the intrusion affected its payment processing systems or pharmacy infrastructure, which are critical areas often targeted by high-impact cyberattacks. As further support for the disclosure, documentation submitted to the Maine Attorney General's Office indicated that approximately 100,000 Maine residents were affected by the breach as a whole. 

As Ahold Delhaize USA operates multiple supermarket chains under the Hannaford brand in this region, this state-specific detail has particular significance, especially since the Hannaford brand is one of the most prominent supermarket brands in the region. It is not known yet how much or what type of data was exposed by the company, however, the widespread scope of the incident raises significant concerns about the potential misuse of personal information and the implications that could have on many individuals across multiple states. 

As far as cyberattacks targeting Ahold Delhaize USA are concerned, this incident can be attributed to a broader pattern of rising threats within the grocery distribution and food industry in general. On November 8, 2024, the parent company of the retailer publicly acknowledged the security breach, and later in April 2025, the company's parent company confirmed that the attackers had accessed sensitive data related to individuals in the Netherlands, where the company is headquartered. 

It was imperative that Ahold Delhaize USA temporarily disable portions of its internal systems during the initial stage of the incident as a precautionary measure. In addition to maintaining a significant global footprint, Ahold Delhaize operates more than 9,400 stores in Europe, the United States, and Indonesia. It is a leading multinational retailer and wholesale conglomerate with more than 9,000 stores worldwide. 

It serves approximately 60 million consumers every week both physically and digitally through its network of more than 393,000 employees. By the year 2024, the company will report annual net sales of more than $104 billion, driven by a diverse portfolio of well-known retail brands that are part of a broad range of well-known retail brands. As an example of these, in the United States, users will find Food Lion, Stop and Shop, Giant Food, and Hannaford, while in Europe, it is represented by Delhaize, Maxi, Mega Image, Albert, Bol, Alfa Beta, Gall & Gall, and Profi among a variety of banners. 

In November 2024, the company first announced its breach, stating that certain U.S.-based brands and operations, including pharmacy operations and segments of its e-commerce infrastructure, had been compromised as a result of the breach. According to a formal filing filed with the Maine Attorney General's Office on Thursday, cyberattackers gained unauthorized access to Ahold Delhaize USA’s internal business systems on November 6, 2024, and this resulted in sensitive data belonging to 2,242,521 individuals being compromised.

Although the company has not yet confirmed whether customer information was among the stolen data, it has confirmed that internal employment records were also stolen as part of the theft. Ahold Delhaize USA and its affiliated companies may have collected and stored personal information about current and former employees, raising concerns about the possibility of misuse of personal identifying information as well as employment information, among other things. 

It is evident from the scale of this breach that large, interconnected retail networks face increasingly dangerous vulnerabilities, which underscores the need to enforce robust cybersecurity practices at all levels of an organisation. It has been discovered through further investigation into the breach that the compromised files might have contained very sensitive personal information in a wide variety of forms. 

Ahold Delhaize USA Services has made it clear that the data could be potentially exposed includes the full names of individuals, their contact information (such as postal addresses, telephone numbers, and email addresses) along with their dates of birth and numerous forms of government-issued identification number, such as Social Security numbers, passport numbers, or driver’s license numbers. 

The company also reported that, besides information about financial accounts, such as bank account numbers and medical information, which can be contained within employment files, there was also potentially confidential information concerning workers' compensation records and medical records. An unauthorised party has been able to gain access to employment-related records related to current and former employees. 

After receiving a formal notification from the Attorneys General of California, Maine, and Montana regarding the breach on June 26, 2025, the company began sending notification emails to those affected by the breach. Ahold Delhaize USA Services has stated that those individuals who receive confirmation that their personal information has been compromised may be eligible for compensation under this policy. 

Whenever such a data breach occurs, the effects can be far-reaching, as sensitive personal data may be used for identity theft, financial fraud, or malicious activities. It is widely understood by security experts that companies that collect and store sensitive information are bound by legal and ethical obligations to protect that information from unauthorised access. There is a possibility that affected individuals may be able to sue for damages that result from the misuse or exposure of their personal information when proper safeguards are not observed. 

In light of the increasing frequency of these breaches, the importance of strengthening corporate data protection frameworks and swiftly addressing incidents is increasing. An organisation known as Inc Ransom, formerly linked with sophisticated ransomware campaigns, claimed responsibility for the cyberattack. It has been found that the group has participated in the cyberattack, raising further concerns about the methods used and the possibility that the stolen data may be exploited in the future. 

There has been another cyberattack which has recently struck United Natural Foods, Inc., which coincided with the timing of Ahold Delhaize USA's complete disclosure of the exposure of personal information. In the wake of this breach, UNFI, a major grocery distributor in the United States, was forced to temporarily shut down several online systems, disrupting the fulfilment process and causing delays in delivering groceries to retailers.

After containing the incident, UNFI has also restored its electronic ordering and invoicing capabilities. These back-to-back breaches highlight the growing cybersecurity vulnerabilities in the retail sector and the supply chain sector, making it increasingly important for companies to develop coordinated defensive strategies to protect sensitive consumer and business data, both of which are in urgent need.

Chaos Ransomware Strikes Optima Tax Relief, Leaks 69GB of Sensitive Customer Data

 

In a significant cybersecurity incident impacting the financial services sector, U.S.-based tax resolution firm Optima Tax Relief has reportedly suffered a ransomware attack orchestrated by the Chaos ransomware group. The attackers have allegedly exfiltrated and leaked approximately 69GB of data, including confidential corporate records and sensitive personal tax files.

The exposed information reportedly includes Social Security numbers, home addresses, phone contacts, and banking details — all highly valuable to identity fraudsters. Given the nature of tax records, cybersecurity experts caution that the risks for affected individuals could extend for years, as this type of data cannot simply be changed like passwords.

Chaos Group Increases Aggression 

The ransomware group behind the attack, known as Chaos, has been active since March 2025 and is rapidly gaining notoriety for targeting organisations with vast stores of personally identifiable information (PII). Unlike the earlier Chaos ransomware builder seen in 2021, this iteration appears to be a more organised threat actor, employing a strategic approach in selecting its victims. This isn’t their first major claim. In May, Chaos asserted responsibility for a breach involving The Salvation Army, though that incident has yet to be independently verified. 

Silence from Optima Raises Questions 

Optima Tax Relief has yet to release a public statement or acknowledge the breach, prompting concerns among cybersecurity professionals and affected customers. It is still unclear whether the company has reported the incident to federal authorities or regulators. The lack of transparency is drawing criticism over potential lapses in consumer notification, data handling, and compliance with data protection regulations. 

Recommendations for Affected Individuals For anyone who has previously engaged Optima's services, cybersecurity analysts recommend treating their personal information as compromised. Immediate protective steps include: 

1. Enrolling in identity theft protection services that offer credit and SSN monitoring 

2. Reviewing bank statements and credit card activity for suspicious transactions 

3. Requesting credit freezes or fraud alerts from financial institutions 

4. Using data removal tools to reduce digital exposure Installing reputable antivirus software to fend off phishing or malware threats 

5. Enabling two-factor authentication on all financial and sensitive accounts 

A Warning for the Financial Sector 

This breach is part of a growing pattern in which ransomware groups are aggressively targeting organisations that store large volumes of sensitive consumer data — particularly in tax, legal, and healthcare sectors. Experts point out that financial firms, especially those involved in tax resolution, remain prime targets due to their often under-resourced cybersecurity infrastructure.

As investigations continue, pressure is mounting on Optima Tax Relief to disclose the extent of the damage and take accountability for customer safety moving forward.

Swiss Health Foundation Ransomware Attack Exposes Government Data

 

The Swiss government is announcing that a ransomware assault at the third-party company Radix has affected sensitive data from multiple federal offices.

The Swiss authorities claim that the hackers obtained information from Radix systems and then posted it on the dark web. The nation's National Cyber Security Centre (NCSC) is assisting in the analysis of the leaked data to determine which government agencies are affected and to what extent. 

“The foundation Radix has been targeted by a ransomware attack, during which data was stolen and encrypted,” the Swiss government noted. “Radix’s customers include various federal offices. The data has been published on the dark web and will now be analyzed by the relevant offices.” 

Radix is a Zurich-based non-profit focused on health promotion. It operates eight competence centres that carry out projects and services for the Swiss federal government, cantonal and municipal corporations, and other public and private organisations. 

According to the organization's statement, Sarcoma ransomware affiliates penetrated its systems on June 16. Sarcoma is a newly emerging ransomware outfit that began operations in October 2024 quickly became one of the most active, claiming 36 victims in its first month. One notable example was an attack on PCB giant Unimicron. 

Phishing, supply-chain attacks, and outdated flaws are some of the ways Sarcoma gains access. Once RDP connections are exploited, the hackers usually proceed laterally across the network. The threat actor may encrypt the data in addition to stealing it in the final phase of the attack. On June 29, the ransomware outfit uploaded the stolen Radix data on their leak portal on the dark web, most likely after extortion attempts failed. 

Personalised alerts were sent to affected individuals, according to Radix, which also states that there is no proof that critical information from partner organisations was compromised. Radix advises potentially vulnerable users to be on guard over the next few months and to be cautious of attempts to obtain their account credentials, credit card details, and passwords in order to mitigate this risk. 

In March 2024, the Swiss government confirmed it had experienced a similar exposure via third-party software services provider Xplain, which was attacked by the Play ransomware gang on May 23, 2023. As a result of that incident, 65,000 Federal Administration documents were leaked, many of which included private and sensitive data.

Horizon Healthcare RCM Reports Ransomware Breach Impacting Patient Data

 

Horizon Healthcare RCM has confirmed it was the target of a ransomware attack involving the theft of sensitive health information, making it the latest revenue cycle management (RCM) vendor to report such a breach. Based on the company’s breach disclosure, it appears a ransom may have been paid to prevent the public release of stolen data. 

In a report filed with Maine’s Attorney General on June 27, Horizon disclosed that six state residents were impacted but did not provide a total number of affected individuals. As of Monday, the U.S. Department of Health and Human Services’ Office for Civil Rights had not yet listed the incident on its breach portal, which logs healthcare data breaches affecting 500 or more people.  

However, the scope of the incident may be broader. It remains unclear whether Horizon is notifying patients directly on behalf of these clients or whether each will report the breach independently. 

In a public notice, Horizon explained that the breach was first detected on December 27, 2024, when ransomware locked access to some files. While systems were later restored, the company determined that certain data had also been copied without permission. 

Horizon noted that it “arranged for the responsible party to delete the copied data,” indicating a likely ransom negotiation. Notices are being sent to affected individuals where possible. The compromised data varies, but most records included a Horizon internal number, patient ID, or insurance claims data. 

In some cases, more sensitive details were exposed, such as Social Security numbers, driver’s license or passport numbers, payment card details, or financial account information. Despite the breach, Horizon stated that there have been no confirmed cases of identity theft linked to the incident. 

The matter has been reported to federal law enforcement. Multiple law firms have since announced investigations into the breach, raising the possibility of class-action litigation. This incident follows several high-profile breaches involving other RCM firms in recent months. 

In May, Nebraska-based ALN Medical Management updated a previously filed breach report, raising the number of affected individuals from 501 to over 1.3 million. Similarly, Gryphon Healthcare disclosed in October 2024 that nearly 400,000 people were impacted by a separate attack. 

Most recently, California-based Episource LLC revealed in June that a ransomware incident in February exposed the health information of roughly 5.42 million individuals. That event now ranks as the second-largest healthcare breach in the U.S. so far in 2025. Experts say that RCM vendors continue to be lucrative targets for cybercriminals due to their access to vast stores of healthcare data and their central role in financial operations. 

Bob Maley, Chief Security Officer at Black Kite, noted that targeting these firms offers hackers outsized rewards. “Hitting one RCM provider can affect dozens of healthcare facilities, exposing massive amounts of data and disrupting financial workflows all at once,” he said.  
Maley warned that many of these firms are still operating under outdated cybersecurity models. “They’re stuck in a compliance mindset, treating risk in vague terms. But boards want to know the real-world financial impact,” he said. 

He also emphasized the importance of supply chain transparency. “These vendors play a crucial role for hospitals, but how well do they know their own vendors? Relying on outdated assessments leaves them blind to emerging threats.” 

Maley concluded that until RCM providers prioritize cybersecurity as a business imperative—not just an IT issue—the industry will remain vulnerable to repeating breaches.

Hackers Impersonate IT Staff to Drain $1 Million from NFT Projects in Days

 

NFT projects lost an estimated $1 million in cryptocurrency last week after attackers infiltrated their core minting infrastructure by posing as IT personnel. The breach affected the fan-token marketplace Favrr along with Web3 ventures Replicandy and ChainSaw, among others.

Onchain investigator and cybersecurity analyst ZackXBT reported that the perpetrators rapidly issued massive waves of NFTs, crashing floor prices to zero. They then liquidated their holdings before project teams could mount a response.

According to findings, the attackers quietly embedded themselves within development teams by using fake identities. With insider access to minting contracts secured, they unleashed thousands of tokens and NFTs in a matter of minutes.

The sudden influx of minted assets tanked floor prices and allowed the thieves to convert assets into liquid funds almost immediately. Within just a week, approximately $1 million disappeared from the affected treasuries. Favrr endured some of the heaviest losses as the attackers dumped tokens faster than the market could absorb them. Replicandy and ChainSaw were hit with similar tactics—Replicandy’s floor prices collapsed nearly instantaneously.

ChainSaw’s stolen crypto remains dormant in wallets, awaiting laundering operations to funnel the funds back through exchanges. ZackXBT noted, “Nested services then further obscured the money trail.”

Investigators revealed that onchain transactions moved the stolen assets through multiple wallets and exchanges, making the flow challenging to trace. Analysts warn that following mixed outputs could take weeks as exchanges comb through extensive transaction logs. This process slows or even prevents law enforcement from freezing compromised accounts.

In a related incident from May 2025, the Coinbase data breach exposed personal information of roughly 69,461 customers after contractors were bribed to hand over user details, sparking an extortion attempt against the platform.

The NFT and Web3 infiltration closely resembles the tactics of Ruby Sleet, a group that in November 2024 targeted aerospace and defense companies before pivoting to IT firms via fraudulent recruitment campaigns. Their strategy combined social engineering, credential theft, and malware to compromise systems.

Experts say these blockchain and NFT breaches highlight how open, irreversible ledgers amplify operational errors—especially when insiders gain privileged access. As ZackXBT underscored, “When insiders gain privileges, there’s often no undo button.”

Security professionals are advising NFT and Web3 organizations to adopt stricter zero-trust models that restrict each developer’s permissions. Requiring multi-party approvals before any large-scale minting can help prevent sudden attacks. Additionally, deploying real-time monitoring tools can quickly detect suspicious activity, while thorough code reviews and identity verification for every hire are critical to closing vulnerabilities before they can be exploited.

UK Man Accused in Major International Hacking Case, Faces US Charges




A 25-year-old British citizen has been formally charged in the United States for allegedly leading an international hacking operation that caused millions in damages to individuals, companies, and public institutions.

Authorities in the US claim the man, identified as Kai West, was the person behind an online identity known as "IntelBroker." Between 2022 and 2025, West is accused of breaking into systems of more than 40 organizations and trying to sell sensitive data on underground online forums.

According to court documents, the financial impact of the operation is estimated to be around £18 million. If convicted of the most serious offense—wire fraud—West could face up to 20 years in prison.

Prosecutors believe that West worked with a group of 32 other hackers and also used the online alias “Kyle Northern.” While officials didn’t name the specific forum used, various sources suggest that the activity took place on BreachForums, a site often linked to the trade of stolen data.

Investigators say West posted nearly 160 threads offering stolen data for sale, often in exchange for money, digital credits, or even for free. His alleged victims include a healthcare provider, a telecom company, and an internet service provider—all based in the US. While official names were not disclosed in court, separate reports connect the IntelBroker identity to past breaches involving major companies and even government bodies.

One particularly concerning incident tied to the IntelBroker persona occurred in 2023, when a data leak reportedly exposed health and personal information of US lawmakers and their families. This included details such as social security numbers and home addresses.

Officials say they were able to trace West’s identity after an undercover operation led them to one of his cryptocurrency transactions. A $250 Bitcoin payment for stolen data allegedly helped link him to email addresses used in the operation.

West was arrested in France in February and remains in custody there. The United States is now seeking his extradition so he can stand trial.

The US Department of Justice has called this a “global cybercrime operation” and emphasized the scale of damage caused. FBI officials described West’s alleged activity as part of a long-running scheme aimed at profiting from illegally obtained data.

French authorities have also detained four other individuals in their twenties believed to be connected to the same forum, although no further details have been made public.

As of now, there has been no official response or legal representation comment from West’s side. 

2.2 Million People Impacted by Ahold Delhaize Data Breach

 

Ahold Delhaize, the Dutch grocery company, reported this week that a ransomware attack on its networks last year resulted in a data breach that affected more than 2.2 million customers. 

The cybersecurity breach was discovered in November 2024, when numerous US pharmacies and grocery chains controlled by Ahold Delhaize reported network troubles. The incident affected Giant Food pharmacies, Hannaford supermarkets, Food Lion, The Giant Company, and Stop & Shop.

In mid-April 2025, Ahold Delhaize was attacked by the Inc Ransom ransomware organisation. Shortly after, the company acknowledged that the hackers probably stole data from some of its internal business systems.

 Since then, Ahold Delhaize has determined that personal data has been hacked, and those affected are currently being notified. Internal employment records for both current and defunct Ahold Delhaize USA enterprises were included in the stolen files. The organization told the Maine Attorney General’s Office that 2,242,521 people are affected.

The compromised information differs from person to person, however it includes name, contact information, date of birth, Social Security number, passport number, driver's license number, financial account information, health information, and employment-related information. Affected consumers will receive free credit monitoring and identity protection services for two years. 

The attackers published around 800 Gb of data allegedly stolen from Ahold Delhaize on their Tor-based leak website, indicating that the corporation did not pay a ransom. Inc Ransom claimed to have stolen 6 TB of data from the company.

Cyberattacks on the retail industry, notably supermarkets, have increased in recent months. In April, cybercriminals believed to be affiliated with the Scattered Spider group targeted UK retailers Co-op, Harrods, and M&S. 

Earlier this month, United Natural Foods (UNFI), the primary distributor for Amazon's Whole Foods and many other North American grocery shops, was targeted by a hack that disrupted company operations and resulted in grocery shortages. According to UNFI, there is no evidence that personal or health information was compromised, and no ransomware group claimed responsibility for the attack.

Surmodics Hit by Cyberattack, Shuts Down IT Systems Amid Ongoing Investigation

 

Minnesota-headquartered Surmodics, a leading U.S. medical device manufacturer, experienced a cyberattack on June 5 that led to a partial shutdown of its IT infrastructure. The company, known for being the largest domestic supplier of outsourced hydrophilic coatings used in devices like intravascular catheters, detected unauthorized access within its network and immediately took several systems offline. During the disruption, it continued fulfilling orders and shipping products through alternative channels.

The incident was disclosed in a filing with the U.S. Securities and Exchange Commission (SEC), which noted that law enforcement has been informed. Surmodics joins Artivion and Masimo as the third publicly listed medical device company to report a cyberattack to the SEC in recent months.

With assistance from cybersecurity professionals, Surmodics has managed to restore essential IT operations, though a complete assessment of what data was compromised is still underway. Some systems remain in recovery.

“The Company remains subject to various risks due to the cyber Incident, including the adequacy of processes during the period of disruption of the Company's IT systems, diversion of management's attention, potential litigation, changes in customer behavior, and regulatory scrutiny,” said Timothy Arens, Chief Financial Officer of Surmodics, in the SEC filing.

The identity of the attackers remains unknown, and according to the company, no internal or third-party data has been leaked. Surmodics also confirmed it holds cyber insurance, which is expected to cover the bulk of the breach-related expenses.

The company has expressed concern about potential lawsuits stemming from the attack—a growing trend in the aftermath of corporate data breaches. Recent class actions have targeted firms like Coinbase and Krispy Kreme over compromised personal information.

Financially, Surmodics reported $28 million in revenue last quarter. It is currently involved in a legal dispute with the Federal Trade Commission (FTC), which is attempting to block a $627 million acquisition bid by a private equity firm. The FTC argues that the deal would merge the two largest players in the specialized medical coating industry, potentially reducing competition.

Ahold Delhaize Reports Major Data Breach Affecting Over 2 Million Employees in the U.S.

 


One of the world’s largest grocery retail groups has confirmed a major cyber incident that compromised sensitive information belonging to more than 2.2 million individuals across its U.S. operations.

The company, known for running supermarket chains like Food Lion, Giant Food, and Stop & Shop, revealed that a ransomware attack last November led to unauthorized access to internal systems. This breach primarily exposed employment-related data of current and former workers, according to a recent report filed with the Maine Attorney General’s office.


What Information Was Exposed?

While not everyone affected had the same type of data compromised, the company stated that hackers may have accessed a combination of the following:

• Full names and contact details

• Birth dates

• Government-issued ID numbers

• Bank account details

• Health and workers’ compensation records

• Job-related documents


The breach does not appear to involve customer information, according to the company’s internal review. In Maine alone, over 95,000 individuals were impacted, triggering formal notification procedures as required by law.


Company’s Response and Next Steps

Following the discovery of the breach on November 6, 2024, Ahold Delhaize immediately launched an investigation and worked to contain the attack. Temporary service disruptions were reported, including issues with pharmacies and delivery services.

To assist those affected, the company is offering two years of free credit and identity monitoring through a third-party provider. It has also engaged external cybersecurity experts to further review and enhance its systems.


Ransomware Group Possibly Involved

Although Ahold Delhaize has not officially identified the group behind the attack, a ransomware operation known as INC Ransom reportedly claimed responsibility earlier this year. Files believed to be taken from the company were published on the group’s leak site in April.

Cybersecurity professionals say the exposed information could be used for identity theft and financial fraud. Experts have advised affected individuals to monitor their credit reports and, where possible, lock their credit files as a precautionary measure.


A Growing Concern for the Sector

Cyberattacks on retail and food service companies are becoming more frequent and severe. According to researchers, this incident stands out due to the unusually high number of records affected. The average breach in this sector usually involves far fewer data points.

Security specialists say such events highlight the urgent need for stronger protection strategies, including multi-factor authentication, network segmentation, and stealth technologies that reduce exposure to cyber threats.


Ahold Delhaize at a Glance

Headquartered in the Netherlands and Belgium, Ahold Delhaize operates more than 9,400 stores worldwide and serves roughly 60 million customers each week. In 2024, the company recorded over $100 billion in global sales.

As the investigation continues, the company has pledged to strengthen its data safeguards and remain vigilant against future threats.

FIR Filed After Noida Logistics Company Claims User Data Leaked

 

High-profile clients' private information, including that of top government officials, was leaked due to a significant cybersecurity incident at Agarwal Packers and Movers Ltd (APML) in India. Concerns over the security of corporate data as well as possible national security implications have been raised by the June 1 incident. An inquiry is still under progress after police filed a formal complaint. 

In what could be one of the most sensitive data breaches in recent memory, Agarwal Packers and Movers Ltd (APML), a well-known logistics company with its headquarters located in Sector 60, Noida, has disclosed that private client information, including the addresses and phone numbers of senior government clients, has been stolen. 

The intrusion was detected on June 1 after several clients, including prominent bureaucrats, diplomats, and military people, began receiving suspicious, highly targeted phone calls.

"The nature of the calls strongly indicated that the callers had access to specific customer queries and records related to upcoming relocations," the complainant, Jaswinder Singh Ahluwalia, Group President and CEO of APML, stated in the police FIR. He cautioned that this is more than just a disclosure of company data. It has an impact on personal privacy, public trust, and possibly national security. 

The company initiated an internal technical inspection, which uncovered traces of unauthorised cyber infiltration, confirming worries regarding a breach. The audit detected collaboration between internal personnel and external cybercriminals. While the scope of the hack is still being investigated, its significance is undeniable: the firm serves India's elite, making the stolen data a potential goldmine for bad actors. 

In accordance with Sections 318(4) and 319(2) of the Bharatiya Nyaya Sanhita and Sections 66C (identity theft) and 66D (impersonation by computer resource) of the Information Technology Act, a formal complaint was filed at the Sector 36 Cyber Crime Police Station. 

According to Cyber SHO Ranjeet Singh, they have a detailed complaint with technological proof to back it up. At the moment, their cyber unit is looking through access trails, firewall activity, and internal server records. Due to the nature of clients impacted, the issue is being handled with the highest attention. 

The attack has triggered calls for stricter cybersecurity practices in private companies that serve sensitive sectors. While APML has yet to reveal how many people were affected, its internal records allegedly include relocation information for high-level clientele like as judges, intelligence officers, and foreign dignitaries.

Hackers Exploit Low-Paid Tech Support Workers to Breach Major Companies, Steal Customer Data

 

As more companies turn to outsourced tech support to save money, the risks tied to these operations are becoming increasingly evident. The dangers aren’t solely technical anymore; they also stem from the individuals operating behind the screens, who are often under financial strain and targeted by increasingly sophisticated cybercriminals.

Hackers are weaponizing outsourced tech support teams and call centers—the very services meant to assist customers—as tools for large-scale cybercrime. Recent breaches in the US and UK illustrate a worrying trend: attackers manipulating the human side of support operations to slip past advanced security protocols and seize sensitive data.

In one of the most impactful incidents so far, criminals infiltrated overseas call centers serving prominent American companies, including the cryptocurrency platform Coinbase. While attackers used different tactics, they shared a common strategy: exploiting the access held by low-level support staff, who frequently earn low wages despite handling confidential customer details.

According to Coinbase, hackers bribed customer support agents employed by TaskUs and other help desk providers, offering payments upwards of $2,500 to secure insider assistance. "You're working with a low-paid labor market," Isaac Schloss, chief product officer at Contact Center Compliance, told the Wall Street Journal. "These people are in a position of poverty more often than not. So if the right opportunity comes for the right person, people are willing to look the other way."

The fallout was severe. At Coinbase, the breach affected data from as many as 97,000 customers and could result in reimbursement costs nearing $400 million. Using the stolen details, attackers impersonated legitimate Coinbase representatives, contacting victims about their accounts and persuading them to transfer cryptocurrency into criminal-controlled wallets. "Every other day a new case would come in, and it would be, 'I got called by Coinbase, and I lost all my money because it wasn't Coinbase,'" Josh Cooper-Duckett, director of investigations at Cryptoforensic Investigators, told the publication.

These tactics are not confined to the crypto industry. In the UK, hackers have also targeted major retailers such as Marks & Spencer and Harrods, pretending to be senior executives to pressure tech-support staff into granting access to internal systems—a method resembling the 2023 MGM Resorts breach.

Beyond bribery, call center vulnerabilities include malicious software planted to siphon off data in large volumes. In some cases, hackers persuaded insiders to describe the applications installed on their systems, ultimately identifying a browser extension with a flaw they could exploit. This allowed them to inject code and harvest extensive customer records.

The cross-border nature of outsourcing complicates accountability. In many regions, workers face minimal legal penalties for helping enable cyberattacks. "We've seen relatively limited consequences, in those regions, for perpetrators," Philip Martin, Coinbase's chief security officer, said. Even when employees are terminated, "It's a relatively straightforward thing for them to go get a new one," he noted.

Despite businesses investing billions in sophisticated cybersecurity tools, hackers persistently capitalize on the most fragile element: people. "Consistently, the human interaction has proven to be a weak link," Michael McPherson, a senior vice president at cybersecurity firm ReliaQuest, said.

Massive Data Leak Exposes 16 Billion Login Records from Major Online Services

 

A recent investigation by Cybernews has uncovered a staggering 30 separate online datasets containing approximately 16 billion stolen login credentials from services including Apple, Google, and Facebook. These data dumps, discovered through open sources, appear to be the result of large-scale malware attacks that harvested user information through infostealers. 

Each dataset contains a URL alongside usernames and passwords, suggesting that malicious software was used to collect login details from infected devices. While some overlap exists among the records, the overall size and spread of the leak make it difficult to determine how many unique users have been compromised. 

Except for one dataset previously identified by cybersecurity researcher Jeremiah Fowler—which included over 185 million unique credentials—most of the remaining 29 databases had not been publicly reported before. These leaked collections are often only temporarily available online before being removed, but new compilations are regularly uploaded, often every few weeks, with fresh data that could be weaponized by cybercriminals. The exact sources and individuals behind these leaks remain unknown. 

To avoid falling victim to similar malware attacks, experts advise staying away from third-party download platforms, especially when obtaining software for macOS. Users are encouraged to download apps directly from the Mac App Store or, if not available there, from a developer’s official website. Using cracked or pirated software significantly increases the risk of malware infection. 

Phishing scams remain another common threat vector. Users should be cautious about clicking on links in unsolicited emails or messages. Even if a message appears to come from a trusted company, it’s vital to verify the sender’s address and inspect URLs carefully. You can do this by copying the link and pasting it into a text editor to see its actual destination before clicking. 

To reduce the chance of visiting malicious sites, double-check the spelling of URLs typed manually and consider bookmarking commonly used sites. Alternatively, using a search engine and clicking on verified results can reduce the risk of visiting typo-squatting domains. 

If you suspect your credentials may have been compromised, take immediate action. Start by updating passwords on any affected services and enabling two-factor authentication for added security. It’s also wise to check your financial statements for unauthorized activity and consider placing a freeze on your credit file to prevent fraudulent account openings. 

Additionally, tools like Have I Been Pwned can help verify if your email address has been part of a known breach. Always install the latest system and app updates, as they often include crucial security patches. Staying current with updates is a simple but effective defense against vulnerabilities and threats.

Scania Targeted in Extortion Attempt Following Data Breach

 


An alarm is triggered in both the automotive and financial industries when Scania Financial Services, based in Sweden, confirms that a cybersecurity incident has compromised sensitive company data, which has raised concerns in the industry. 

The breach was reportedly caused by unauthorised access to the subdomain insurance.scania.com between mid-June 2025 and mid-July 2025. This intrusion has been claimed to have been perpetrated by a threat actor known as "hensi", and the stolen information is allegedly being sold on underground cybercrime forums by a threat actor using the alias "hensi." 

The exposure of confidential insurance-related information is raising concerns about the possibility of misuse of customer data and corporate records. Founded in 1937, Scania is one of the world's leading automotive manufacturers with expertise in the manufacturing of heavy-duty trucks, buses, and industrial as well as marine engines. 

The company operates as one of the key subsidiaries of the Volkswagen Group. Scania, a major player in the European market for commercial vehicles, is one of the most vulnerable organisations in the world when it comes to cyber extortion schemes, which are becoming increasingly sophisticated. While the full extent of the breach is still being investigated, industry experts see this incident as yet another reminder that the threat landscape facing the financial services arm of a multinational corporation is escalating. 

It is well known for the high quality of its engineering and the fuel efficiency of its fuel-efficient, long-lasting engines, which have earned Scania a leading position in the commercial vehicle industry around the world. This company is a global leader in the manufacturing and delivery of vehicles across many international markets. 

It employs more than 59,000 people and generates more than $20.5 billion annually. According to reports, the breach occurred on May 28, 2025, when cybercriminals exploited login credentials that had been harvested through information-stealing malware to gain unauthorised access to Scania's systems. As part of the ongoing cybersecurity crisis, threat intelligence platform Hackmanac found a post from the cybercriminal Hensi made on a well-known hacking forum. 

Additional developments emerged as a result of the ongoing cybersecurity incident. This actor claimed that he had stolen sensitive information from the compromised subdomain insurance.scania.com and then offered the information for sale to a single exclusive buyer in exchange for payment. Even though this discovery added credibility to the extortion attempt, it highlighted the severity of the breach, as well as reinforcing growing concerns surrounding data security within the automotive-financial industry. 

A critical question that arises from the breach is whether third parties are exposed to risk and whether cyber extortion tactics are becoming increasingly sophisticated. Scania is continuing to investigate the breach, and this raises significant concerns. As the hacker team escalated the attack, they began to contact Scania employees directly via a ProtonMail account, threatening to publicly release the compromised information unless they met certain demands. 

In response to this switch from silent intrusion to overt blackmail, the company responded with greater urgency. Although the number of people affected has not been announced officially, the nature of the exposed information suggests that it could include highly sensitive information relating to insurance claims accessed through the compromised platform, such as personal, financial, and perhaps medical information. 

It was in response to this situation that Scania immediately deactivated the affected application and conducted a comprehensive internal investigation, which was undertaken jointly with cybersecurity specialists. As a result, Scania was also required to inform the appropriate authorities regarding data protection violations, based on legal and regulatory requirements. 

A number of vendors have been put under intense scrutiny for the way they manage vendor risk, and this incident has highlighted the increasing reliance on third-party platforms that might not always adhere to adequate security standards. This breach is believed to have occurred in the middle of May 2025, when a threat actor used compromised credentials obtained from a legitimate external user to gain unauthorised access to one of the Scania systems used to drive insurance-related operations for a company in the Czech Republic. 

According to initial analysis, the credentials were harvested using password-stealing malware, which has become an increasingly popular method for cybercriminals to infiltrate corporate networks in order to steal data and manipulate the systems. After getting inside the account, the attacker used the compromised account to download documents pertaining to insurance claims. 

The documents likely contain personal information (PII) as well as potentially sensitive financial or medical information, resulting in a breach of privacy. Though Scania has not yet disclosed the exact number of individuals affected, the nature of the compromised documents indicates that a significant privacy impact could arise for those individuals. Following the initial breach, the incident escalated into a clear case of cyber extortion. 

A few days ago, the attackers started reaching out directly to Scania employees, using a ProtonMail (proton.me) address, and threatened them with disclosure. The attackers were also trying to amplify pressure on the company by sending a second threatening email from a hijacked third-party email account, indicating the intent of the attacker to employ every possible method for coercing compliance from the company. 

After the stolen data was published by a user operating under the alias "Hensi" on dark web forums, which backed up earlier claims and confirmed the breach's authenticity, it was more credible than ever. Consequently, Scania promptly removed the affected application from the network and initiated a thorough forensic investigation in response to the incident. 

By compliance requirements, the company stated that the breach appeared to have a limited impact on the company's business and that appropriate regulatory bodies, including the data protection authority, had been duly informed of these requirements. As a result of this incident, it becomes increasingly clear that enterprise environments should develop better credential hygiene, strengthen third-party oversight, and implement proactive incident response strategies. 

Considering the severity of the Scania cyber incident, the incident serves as a warning for enterprise ecosystems that are increasingly facing cyber threats, especially those that rely heavily on third-party infrastructures. In this context, companies must adopt a zero-trust security architecture, continuously monitor their users' behaviour, and invest in advanced threat detection tools that will allow them to detect credential misuse at the earliest opportunity. 

The organisation must also reevaluate vendor relationships with a strong focus on supply chain security, as well as ensure external service providers follow the same rigorous standards as internal service providers. Moreover, integrating employee awareness training with incident response simulations as a foundational pillar of a resilient cybersecurity posture should not be an optional element, but instead should be included as an integral part of a comprehensive cybersecurity strategy. 

A proactive company will be able to distinguish itself from those reacting too late as cyber extortion tactics become increasingly targeted and disruptive as they become increasingly targeted and disruptive. Investing in a security culture that values data protection as a shared and continuous responsibility across every level of the organisation is one of the key factors in ensuring the success of global corporations like Scania. This is the key to regaining confidence in data protection.

Microsoft Entra ID Faces Surge in Coordinated Credential-Based Attacks

An extensive account takeover (ATO) campaign targeting Microsoft Entra ID has been identified by cybersecurity experts, exploiting a powerful open-source penetration testing framework known as TeamFiltration. 

First detected in December 2024, the campaign has accelerated rapidly, compromising more than 80,000 user accounts across many cloud environments over the past several years. It is a sophisticated and stealthy attack operation aimed at breaching enterprise cloud infrastructure that has been identified by the threat intelligence firm Proofpoint with the codename UNK_SneakyStrike, a sophisticated and stealthy attack operation. 

UNK_SneakyStrike stands out due to its distinctive operational pattern, which tends to unfold in waves of activity throughout a single cloud environment often targeting a broad spectrum of users. The attacks usually follow a period of silent periods lasting between four and five days following these aggressive bursts of login attempts, a tactic that enables attackers to avoid triggering traditional detection mechanisms while maintaining sustained pressure on organizations' defence systems. 

Several technical indicators indicate that the attackers are using TeamFiltration—a sophisticated, open-source penetration testing framework first introduced at the Def Con security conference in 2022—a framework that is highly sophisticated and open source. As well as its original purpose of offering security testing and red teaming services in enterprises, TeamFiltration is now being used by malicious actors to automate large-scale user enumeration, password spraying, and stealthy data exfiltration, all of which are carried out on a massive scale by malicious actors. 

To simulate real-world account takeover scenarios in Microsoft cloud environments, this tool has been designed to compromise Microsoft Entra ID, also known as Azure Active Directory, in an attempt to compromise these accounts. It is important to know that TeamFiltration's most dangerous feature is its integration with the Microsoft Teams APIs, along with its use of Amazon Web Services (AWS) cloud infrastructure to rotate the source IP addresses dynamically. 

Not only will this strategy allow security teams to evade geofencing and rate-limiting defences, but also make attribution and traffic filtering a significant deal more challenging. Additionally, the framework features advanced functionalities that include the ability to backdoor OneDrive accounts so that attackers can gain prolonged, covert access to compromised systems without triggering immediate alarms, which is the main benefit of this framework. 

A combination of these features makes TeamFiltration a useful tool for long-term intrusion campaigns as it enhances an attacker's ability to keep persistence within targeted networks and to siphon sensitive data for extended periods of time. By analysing a series of distinctive digital fingerprints that were discovered during forensic analysis, Proofpoint was able to pinpoint both the TeamFiltration framework and the threat actor dubbed UNK_SneakyStrike as being responsible for this malicious activity. 

As a result, there were numerous issues with the tool, including a rarely observed user agent string, hardcoded client identifications for OAuth, and a snapshot of the Secureworks FOCI project embedded within its backend architecture that had been around for quite some time. As a result of these technical artefacts, researchers were able to trace the attack's origin and misuse of tools with a high degree of confidence, enabling them to trace the campaign's origin and tool misuse with greater certainty. 

An in-depth investigation of the attack revealed that the attackers were obfuscating and circumventing geo-based blocking mechanisms by using Amazon Web Services (AWS) infrastructure spanning multiple international regions in order to conceal their real location. A particularly stealthy manoeuvre was used by the threat actors when they interacted with the Microsoft Teams API using a "sacrificial" Microsoft Office 365 Business Basic account, which gave them the opportunity to conduct covert account enumeration activities. 

Through this tactic, they were able to verify existing Entra ID accounts without triggering security alerts, thereby silently creating a map of user credentials that were available. As a result of the analysis of network telemetry, the majority of malicious traffic originated in the United States (42%). Additional significant activity was traced to Ireland (11%) and the United Kingdom (8%) as well. As a consequence of the global distribution of attack sources, attribution became even more complex and time-consuming, compromising the ability to respond efficiently. 

A detailed advisory issued by Proofpoint, in response to the campaign, urged organisations, particularly those that rely on Microsoft Entra ID for cloud identity management and remote access-to initiate immediate mitigations or improvements to the system. As part of its recommendations, the TeamFiltration-specific user-agent strings should be flagged by detection rules, and multi-factor authentication (MFA) should be enforced uniformly across all user roles, based on all IP addresses that are listed in the published indicators of compromise (IOCs). 

It is also recommended that organisations comply with OAuth 2.0 security standards and implement granular conditional access policies within Entra ID environments to limit potential exposure to hackers. There has been no official security bulletin issued by Microsoft concerning this specific threat, but internal reports have revealed that multiple instances of unauthorised access involving enterprise accounts have been reported. This incident serves as a reminder of the risks associated with dual-use red-teaming tools such as TeamFiltration, which can pose a serious risk to organisations. 

There is no doubt in my mind that such frameworks are designed to provide legitimate security assessments, however, as they are made available to the general public, they continue to raise concerns as they make it more easy for threat actors to use them to gain an advantage, blurring the line between offensive research and actual attack vectors as threats evolve. 

The attackers during the incident exploited the infrastructure of Amazon Web Services (AWS), but Amazon Web Services (AWS) reiterated its strong commitment to promoting responsible and lawful use of its cloud platform. As stated by Amazon Web Services, in order to use its resources lawfully and legally, all customers are required to adhere to all applicable laws and to adhere to the platform's terms of service. 

A spokesperson for Amazon Web Services explained that the company maintains a clearly defined policy framework that prevents misappropriation of its infrastructure. As soon as a company receives credible reports that indicate a potential violation of these policies, it initiates an internal investigation and takes appropriate action, such as disabling access to content that is deemed to be violating the company's terms. As part of this commitment, Amazon Web Services actively supports and values the global community of security researchers. 

Using the UNK_SneakyStrike codename, the campaign has been classified as a highly orchestrated and large-scale operation that is based on the enumeration of users and password spraying. According to researchers at Proofpoint, these attempts to gain access to cloud computing services usually take place in bursts that are intense and short-lived, resulting in a flood of credentials-based login requests to cloud environments. Then, there is a period of quietness lasting between four and five days after these attacks, which is an intentional way to prevent continuous detection and prolong the life cycle of the campaign while enabling threat actors to remain evasive. 

A key concern with this operation is the precision with which it targets its targets, which makes it particularly concerning. In the opinion of Proofpoint, attackers are trying to gain access to nearly all user accounts within the small cloud tenants, while selectively targeting particular users within the larger enterprise environments. 

TeamFiltration's built-in filtering capabilities, which allow attackers to prioritise the highest value accounts while avoiding detection by excessive probing, are a calculated approach that mirrors the built-in filtering capabilities of TeamFiltration. This situation underscores one of the major challenges the cybersecurity community faces today: tools like TeamFiltration that were designed to help defenders simulate real-world attacks are increasingly being turned against organisations, instead of helping them fight back. 

By weaponizing these tools, threat actors can infiltrate cloud infrastructure, extract sensitive data, establish long-term access, and bypass conventional security controls, while infiltrating it, extracting sensitive data, and establishing long-term control. In this campaign, we are reminded that dual-purpose cybersecurity technologies, though essential for improving organization resilience, can also pose a persistent and evolving threat when misappropriated. 

As the UNK_SneakyStrike campaign demonstrates, the modern threat landscape continues to grow in size and sophistication, which is why it is imperative that cloud security be taken into account in a proactive, intelligence-driven way. Cloud-native organisations must take steps to enhance their threat detection capabilities and go beyond just reactive measures by investing in continuous threat monitoring, behavioural analytics, and threat hunting capabilities tailored to match their environments' needs. 

In the present day, security strategies must adapt to the dynamic nature of cloud infrastructure and the growing threat of identity-based attacks, which means relying on traditional perimeter defences or static access controls will no longer be sufficient. In order to maintain security, enterprise defenders need to routinely audit their identity and access management policies, verify that integrated third-party applications are secure, and review logs for anomalies indicative of low-and-slow intrusion patterns. 

In order to build a resilient ecosystem that can withstand emerging threats, cloud service providers, vendors, and enterprise security teams need to work together in order to create a collaborative ecosystem. As an added note, cybersecurity community members must engage in ongoing discussions about how dual-purpose security tools should be distributed and governed to ensure that innovation intended to strengthen defences is not merely a weapon that compromises them, but rather a means of strengthening those defences. 

The ability to deal with advanced threats requires agility, visibility, and collaboration in order for organisations to remain resilient. There is no doubt that organisations are more vulnerable to attacks than they were in the past, but they can minimise exposure, contain intrusions quickly, and ensure business continuity despite increasingly coordinated, deceptive attack campaigns if they are making use of holistic security hygiene and adopting a zero-trust architecture.

Paraguay Faces Data Breach Threat as Cyber Group Demands Ransom

 


A cyber extortion group is pressuring the Paraguayan government to pay a ransom of $7.4 million, roughly equal to one dollar for each citizen of the country. The group, which calls itself Brigada Cyber PMC, claims to have stolen personal information from three different Paraguayan government systems, including records of about 7.2 million people from the national civil registry, which manages voter information and other key data.

The hackers posted their demands on their dark web site on Sunday, warning that if the payment is not made by June 13, they will leak all the stolen information to the public. However, by Thursday, the group’s leak site had gone offline and was showing a basic server message, making its current status unclear.


Who Are the Hackers?

Little is known about Brigada Cyber PMC. Their website simply states, “You don’t need to know who we are.” At this stage, it’s uncertain whether they are working independently or if they have backing from a larger organization or government.

According to cybersecurity company Resecurity, the first signs of this data breach appeared on May 28, when a user named "Gatito_FBI_Nz" posted on a cybercrime forum offering to sell two databases containing information on Paraguayan citizens. The seller also provided a sample of nearly 940,000 records and appeared to be connected to other leaks in South America, based on their usernames and contact details shared on Telegram.

Resecurity’s investigation suggests that the hacker involved may have also attacked government systems in other South American countries. Paraguay’s national cybersecurity team, CERT-PY, has been informed of the situation.


The Targeted Systems

One of the affected Paraguayan government websites belonged to the National Agency for Transit and Road Safety, which went offline on May 29 but was brought back the next day. Some of the leaked records appear to have come from this agency and include sensitive personal details such as names, ID numbers, dates of birth, professions, marital status, and nationalities.

Another incident was reported on May 31, when a different hacker named "el_farado" posted another large set of Paraguayan citizen data for sale. This data was allegedly taken from government systems in the Cordillera region. Resecurity noted possible links between this hacker and FunkSec, a ransomware group active since late 2024. The structure of this data suggests it may have come from a separate cyberattack.


History of Attacks

This is not the first time Paraguay’s government networks have been targeted. Resecurity pointed out that a civil registry database was stolen and leaked about two years ago, but it’s unclear whether that older data is now being reused by the current attackers.

In another major case in November 2024, Paraguay’s critical infrastructure was found to be compromised by a hacking group reportedly connected to China, according to a joint investigation by Paraguayan officials and the U.S. Southern Command. That breach was linked to the group known as Flax Typhoon, but no public data leaks or officially confirmed victims were reported in that incident.