Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Data Breach. Show all posts
Spotify
Data Breach data security Music App Music Streaming Spotify

Spotify Flags Unauthorised Access to Music Catalogue

 

Spotify reported that a third party had scraped parts of its music catalogue after a pirate activist group claimed it had released metadata and audio files linked to hundreds of millions of tracks. 

The streaming company said an investigation found that unauthorised users accessed public metadata and used illicit methods to bypass digital rights management controls to obtain some audio files. 

Spotify said it had disabled the accounts involved and introduced additional safeguards. The claims were made by a group calling itself Anna’s Archive, which runs an open source search engine known for indexing pirated books and academic texts. 

In a blog post, the group said it had backed up Spotify’s music catalogue and released metadata covering 256 million tracks and 86 million audio files. 

The group said the data spans music uploaded to Spotify between 2007 and 2025 and represents about 99.6 percent of listens on the platform. Spotify, which hosts more than 100 million tracks and has over 700 million users globally, said the material does not represent its full inventory. 

The company added that it has no indication that private user data was compromised, saying the only user related information involved was public playlists. The group said the files total just under 300 terabytes and would be distributed via peer to peer file sharing networks. 

It described the release as a preservation effort aimed at safeguarding cultural material. Spotify said it does not believe the audio files have been widely released so far and said it is actively monitoring the situation. 

The company said it is working with industry partners to protect artists and rights holders. Industry observers said the apparent scraping could raise concerns beyond piracy. 

Yoav Zimmerman, chief executive of intellectual property monitoring firm Third Chair, said the data could be attractive to artificial intelligence companies seeking to train music models. Others echoed those concerns, warning that training AI systems on copyrighted material without permission remains common despite legal risks. 

Campaigners have called on governments to require AI developers to disclose training data sources. Copyright disputes between artists and technology companies have intensified as generative AI tools expand. In the UK, artists have criticised proposals that could allow AI firms to use copyrighted material unless rights holders explicitly opt out. 

The government has said it will publish updated policy proposals on AI and copyright next year. Spotify said it remains committed to protecting creators and opposing piracy and that it has strengthened defences against similar attacks.
Read more »
Oracle E-Business Suite
Clop Ransomware Clop Ransomware Gang customer data leak Data Breach Data Leak Data protection data security Oracle E-Business Suite

University of Phoenix Data Breach Exposes Records of Nearly 3.5 Million Individuals

 

The University of Phoenix has confirmed a major cybersecurity incident that exposed the financial and personal information of nearly 3.5 million current and former students, employees, faculty members, and suppliers. The breach is believed to be linked to the Clop ransomware group, a cybercriminal organization known for large-scale data theft and extortion. The incident adds to a growing number of significant cyberattacks reported in 2025. 

Clop is known for exploiting weaknesses in widely used enterprise software rather than locking systems. Instead, the group steals sensitive data and threatens to publish it unless victims pay a ransom. In this case, attackers took advantage of a previously unknown vulnerability in Oracle Corporation’s E-Business Suite software, which allowed them to access internal systems. 

The breach was discovered on November 21 after the University of Phoenix appeared on Clop’s dark web leak site. Further investigation revealed that unauthorized access may have occurred as early as August 2025. The attackers used the Oracle E-Business Suite flaw to move through university systems and reach databases containing highly sensitive financial and personal records.  

The vulnerability used in the attack became publicly known in November, after reports showed Clop-linked actors had been exploiting it since at least September. During that time, organizations began receiving extortion emails claiming financial and operational data had been stolen from Oracle EBS environments. This closely mirrors the methods used in the University of Phoenix breach. 

The stolen data includes names, contact details, dates of birth, Social Security numbers, and bank account and routing numbers. While the university has not formally named Clop as the attacker, cybersecurity experts believe the group is responsible due to its public claims and known use of Oracle EBS vulnerabilities. 

Paul Bischoff, a consumer privacy advocate at Comparitech, said the incident reflects a broader trend in which Clop has aggressively targeted flaws in enterprise software throughout the year. In response, the University of Phoenix has begun notifying affected individuals and is offering 12 months of free identity protection services, including credit monitoring, dark web surveillance, and up to $1 million in fraud reimbursement. 

The breach ranks among the largest cyber incidents of 2025. Rebecca Moody, head of data research at Comparitech, said it highlights the continued risks organizations face from third-party software vulnerabilities. Security experts say the incident underscores the need for timely patching, proactive monitoring, and stronger defenses, especially in education institutions that handle large volumes of sensitive data.
Read more »
zero-day exploit
Dark Web Monitoring Data Breach Higher Education Cyberattack identity theft protection Oracle EBS Vulnerability Ransomware Regulatory Disclosure SSN Data Leak zero-day exploit

3.5 Million Students Impacted in US College Data Breach


Several significant cyber security breaches have prompted a growing data security crisis for one of the largest private higher education institutions in the United States. University of Phoenix, an established for-profit university located in Phoenix, Arizona, has suffered an extensive network intrusion.

It was orchestrated by the Clop ransomware group, a highly motivated cybercriminal syndicate that was well known for extorting large sums of money from their victims. During the attack, nearly 3.5 million individuals' personal records, such as those belonging to students, faculty, administrative staff, and third-party suppliers, were compromised, resulting in the compromise of the records. 

Established in 1976, the university has grown over the last five decades into a major national educational provider. The university has enrolled approximately 82,700 students and is supported by a workforce of 3,400 employees. 

Of these, nearly 2,300 are academics. This breach was officially confirmed by the institution through a written statement posted on its website on early December, while Phoenix Education Partners' parent organization, which filed a mandatory 8-K filing with the U.S. Securities and Exchange Commission, formally notified federal regulators of the incident in early December. 

In this disclosure, the first authoritative acknowledgment of a breach that experts claim may have profound implications for identity protection, financial security, and institutional accountability within the higher education sector has been made. There is a substantial risk associated with critical enterprise software and delayed threat detection, highlighting how extensive the risks can be. 

The breach at the University of Phoenix highlights this fact. The internal incident briefing indicates that the intrusion took place over a period of nine days between August 13 and August 22, 2025. The attackers took advantage of an unreported vulnerability in Oracle's E-Business Suite (EBS) - an important financial and administrative platform widely used by large organizations - to exploit the vulnerability.

During the course of this vulnerability, the threat actors were able to gain unauthorized access to highly sensitive information, which they then exfiltrated to 3,489,274 individuals, including students, alumni, students and professors, as well as external suppliers and service providers. The university did not find out about the compromise until November 21, 2025, more than three months after it occurred, even though it had begun unfolding in August. 

According to reports, the discovery coincided with public signals from the Cl0p ransomware group, which had listed the institution on its leaked site, which had triggered its public detection. It has been reported that Phoenix Education Partners, the parent company of the university, formally disclosed the incident in a regulatory Form 8-K filing submitted to the U.S. Securities and Exchange Commission on December 2, 2025, followed by a broader public notification effort initiated on December 22 and 23 of the same year. 

It is not unusual for sophisticated cyber intrusions to be detected in advance, but this delayed detection caused significant complications in the institution's response efforts because the institution's focus shifted from immediate containment to ensuring regulatory compliance, managing reputational risks, and ensuring identity protection for millions of people affected. 

A comprehensive identity protection plan has been implemented by the University of Phoenix in response to the breach. This program offers a 12-month credit monitoring service, dark web surveillance service, identity theft recovery assistance, and an identity theft reimbursement policy that covers up to $1 million for those who have been affected by the breach. 

The institution has not formally admitted liability for the incident, but there is strong evidence that it is part of a larger extortion campaign by the Clop ransomware group to take over the institution. A security analyst indicates Clop took advantage of a zero-day vulnerability (CVE-2025-61882) in Oracle's E-Business Suite in early August 2025, and that it has also been exploited in similar fashion to steal sensitive data from other prominent U.S universities, including Harvard University and the University of Pennsylvania, in both of whom confirmed that their students' and staff's personal records were accessed by an unauthorized third party using compromised Oracle systems. 

The clone has a proven history of orchestrating mass data theft, including targeting various file transfer platforms, such as GoAnywhere, Accellion FTA, MOVEit, Cleo, and Gladinet CentreStack, as well as MFT platforms such as GoAnywhere. The Department of State has announced that a reward of up to $10 million will be offered to anyone who can identify a foreign government as the source of the ransomware collective's operations. 

The resulting disruption has caused a number of disruptions in the business environment. In addition to the wave of incidents, other higher-education institutions have also been victimized by cyberattacks, which is a troubling pattern. 

As a result of breaches involving voice phishing, some universities have revealed that their development, alumni, and administrative systems have been accessed unauthorized and donor and community information has been exfiltrated. Furthermore, this incident is similar to other recent instances of Oracle E-Business Suite (EBS) compromises across U.S. universities that have been reported. 

These include Harvard University and the University of Pennsylvania, both of whom have admitted that unauthorized access was accessed to systems used to manage sensitive student and staff data. Among cybersecurity leaders, leadership notes the fact that universities are increasingly emulating the risk profile associated with sectors such as healthcare, characterized by centralized ecosystems housing large amounts of long-term personal data.

In a world where studies of student enrolment, financial aid records, payroll infrastructure and donor databases are all kept in the same place, a single point of compromise can reveal years and even decades of accumulated personal and financial information, compromising the unique culture of the institution. 

Having large and long-standing repositories makes colleges unique targets for hacker attacks due to their scale and longevity, and because the impact of a breach of these repositories will be measured not only in terms of the loss of records, but in terms of the length of exposure as well as the size of the population exposed. 

With this breach at University of Phoenix, an increasing body of evidence has emerged that U.S colleges and universities are constantly being victimized by an ever more coordinated wave of cyberattacks. There are recent disclosures from leading academic institutions, including Harvard University, the University of Pennsylvania, and Princeton University, that show that the threat landscape goes beyond ransomware operations, with voice-phishing campaigns also being used as a means to infiltrate systems that serve to facilitate alumni engagement and donor information sharing. 

Among the many concerns raised by the developments, there are also concerns over the protection of institutional privacy. During an unusual public outrage, the U.S. Department of State has offered an unusual reward of $10 million for information that could link Clop's activities to foreign governments. This was a result of growing concerns within federal agencies that the ransomware groups may, in some cases, intersect with broader geopolitical strategies through their financial motivations. 

University administrators and administrators have been reminded of the structural vulnerability associated with modern higher education because it highlights a reliance on sprawling, interconnected enterprise platforms that centralize academic, administrative, and financial operations, which creates an environment where the effects of a single breach can cascade across multiple stakeholder groups. 

There has been a remarkable shift in attackers' priorities away from downright disrupting systems to covertly extracting and eradicating data. As a result, cybersecurity experts warn that breaches involving the theft of millions of records may no longer be outliers, but a foreseeable and recurring concern. 

University institutions face two significant challenges that can be attributed to this trend-intensified regulatory scrutiny as well as the more intangible challenge of preserving trust among students, faculty, and staff whose personal information institutions are bound to protect ethically and contractually. 

In light of the breach, the higher-education sector is experiencing a pivotal moment that is reinforcing the need for universities to evolve from open knowledge ecosystems to fortified digital enterprises, reinforcing concerns.

The use of identity protection support may be helpful in alleviating downstream damage, but cybersecurity experts are of the opinion that long-term resilience requires structural reform, rather than episodic responses. 

The field of information security is moving towards layered defenses for legacy platforms, quicker patch cycles for vulnerabilities, and continuous network monitoring that is capable of identifying anomalous access patterns in real time, which is a key part of the process. 

During crisis periods, it is important for policy analysts to emphasize the importance of institutional transparency, emphasizing the fact that early communication combined with clear remediation roadmaps provides a good opportunity to limit misinformation and recover stakeholder confidence. 

In addition to technical safeguards, industry leaders advocate for expanded security awareness programs to improve institutional perimeters even as advanced tools are still being used to deal with threats like social engineering and phishing. 

In this time of unprecedented digital access, in which data has become as valuable as degrees, universities face the challenge of safeguarding information, which is no longer a supplemental responsibility but a fundamental institutional mandate that will help determine the credibility, compliance, and trust that universities will rely on in years to come.

Read more »
Red Hat
big data Cyber Security Data Breach Nissan Red Hat

Nissan Says Customer Data Exposed After Breach at Red Hat Systems

 

Nissan Motor Co Ltd said that personal information of thousands of customers was exposed following a cyber breach at Red Hat, the US based software company it had engaged to develop customer management systems. 

The Japanese automaker said it was notified by Red Hat in early October that unauthorized access to a server had resulted in data leakage. The affected system was part of a Red Hat Consulting managed GitLab environment used for development work. 

Nissan said the breach involved customer information linked to Nissan Fukuoka Sales Co Ltd. About 21,000 customers who purchased vehicles or received services in Fukuoka, Japan were affected. 

The exposed data included customer names, physical addresses, phone numbers, email addresses and other information used in sales and service operations. Nissan said no credit card or payment information was compromised. 

“Nissan Motor Co Ltd received a report from Red Hat that unauthorized access to its data servers had resulted in information being leaked,” the company said in a statement.

It added that it has no evidence the data has been misused. Red Hat acknowledged earlier that an attacker had accessed and copied data from a private GitLab instance, affecting multiple organisations. 

The breach was disclosed publicly in early October after threat actors claimed to have stolen hundreds of gigabytes of data from tens of thousands of private repositories. The intrusion was initially claimed by a group calling itself Crimson Collective. 

Samples of the stolen data were later published by another cybercrime group, ShinyHunters, as part of an extortion effort. Neither Nissan nor Red Hat has publicly attributed the breach to a specific actor. 

Nissan said the compromised Red Hat environment did not store any additional Nissan data beyond what has already been confirmed. The company said it has informed affected customers and advised them to remain alert for suspicious emails, calls or messages that could exploit the leaked information. 

Cybersecurity experts say such data can be used for social engineering attacks, including phishing and impersonation scams, even if financial details are not exposed. The incident adds to a series of cybersecurity issues involving Nissan. 

In late August, a Qilin ransomware attack affected its design subsidiary Creative Box Inc in Japan. Last year, Nissan North America disclosed a breach impacting about 53,000 employees, while an Akira ransomware attack exposed data of roughly 100,000 customers at Nissan Oceania. 

The Red Hat breach has renewed concerns about supply chain security, where compromises at technology vendors can have cascading effects on downstream clients. Nissan said it continues to review its security controls and coordination with third party providers following the incident.
Read more »
VeraBank
Artisans' Bank cyberattack Data Breach Marquis Software ransomware attack US bank data breach VeraBank

Two US Banks Disclose Customer Data Exposure Linked to Marquis Software Ransomware Attack

 

Two American banks have issued public warnings to customers after being affected by a ransomware incident that occurred in August at a widely used financial software provider.

Artisans' Bank and VeraBank notified regulators in Maine last week that recent data breaches traced back to a cyberattack on Marquis Software. The vendor had earlier confirmed it suffered a ransomware attack around August 14, impacting dozens of corporate clients and thousands of individuals connected to those organizations.

In notification letters sent to affected customers, VeraBank clarified that Marquis Software serves as its “customer communication and data analysis vendor.”

“They had access to your data to communicate relevant and necessary updates with you and also to analyze what bank products and services may best fit your needs,” the Texas-based lender stated. “We only provided Marquis with access to your data after they had contractually agreed to secure and protect the same.”

According to VeraBank’s disclosures, 37,318 individuals had personal information compromised, though the bank did not specify exactly what data was taken.

Artisans' Bank, headquartered in Delaware, said it was alerted to the incident by Marquis Software in October. Its investigation revealed that the breach exposed the names and Social Security numbers of 32,344 people.

Both banks emphasized that their internal systems were not compromised and that the stolen information was “maintained by Marquis Software.”

The disclosures make VeraBank and Artisans' Bank the latest financial institutions identified as downstream victims of the Marquis Software attack. The company provides data analytics, compliance services, and digital marketing solutions to hundreds of banks and credit unions nationwide.

Marquis Software stated in its own breach notifications that it contacted federal law enforcement after discovering the cyberattack in August. The company said investigators traced the breach to a vulnerability in a SonicWall firewall device.

According to Marquis Software, the stolen data included names, addresses, phone numbers, Social Security numbers, taxpayer identification numbers, dates of birth, and financial account details that did not include security or access codes.

Between October 27 and November 25, Marquis Software notified at least 74 banks, credit unions, and financial institutions that their data was involved in the breach. The company filed reports with regulators in multiple states, including Maine, South Carolina, Washington, and Iowa, and also issued notices on behalf of several affected institutions.

The firm has not responded to inquiries about whether additional financial organizations have since been impacted or how many total individuals were affected.

Based on victim counts collected from various state breach registries, cybersecurity researchers and law firms estimate the total number of affected individuals could range from approximately 788,000 to 1.35 million.

Cybersecurity firm Comparitech reported obtaining a now-deleted breach notification letter from Iowa-based Community 1st Credit Union that alleged Marquis Software paid a ransom to the attackers. The company has not commented on whether a payment was made, and no ransomware group has publicly claimed responsibility for the attack.


Read more »
yber Espionage
Data Breach firewall vulnerability GCHQ NCSC Ransomware Impact State-Linked Cyber Threat UK Cyber Defense Visa Data Leak yber Espionage

Digital Intrusion at the Heart of UK Diplomacy Verified by Officials


In the wake of the revelation of a serious cybersecurity breach at the Foreign, Commonwealth, and Development Office of the United Kingdom, the integrity of national institutions once again came into the focus of public attention. In October, its systems were breached by an external intrusion, which exposed widespread cybersecurity vulnerabilities.

There is growing concern in the global community about the existence of state-linked cyberattacks targeting government infrastructure, as revealed by minister Chris Bryant in his statement following the revelations. 

Although officials have determined that the breach does not pose a high risk for individuals, preliminary findings suggest that the incident may have involved large volumes of sensitive administrative records, including potentially tens of thousands of visa-related details. Although the precise scale and impact of the attack have not been determined, it is believed that the incident was of a low risk.

Bryant emphasized and cautioned that no attribution has been formally established, nor has a definite link to the operation been established, yet unverified intelligence assessments have pointed to possible involvement by a Chinese cyber group dubbed Storm 1849; however, it is important not to make definitive conclusions before the investigation has been conducted. 

A number of cybersecurity analysts have compared the breach with the 2024 ArcaneDoor campaign, a sophisticated attack that brought together state-sponsored actors, and prompted them to consider overlapping methods and the broader implications of coordinated data targeting campaigns in the future. 

An investigation has already been conducted by government response teams to identify and neutralize the vulnerability that enabled the intrusion, and forensic specialists are now studying log files and access patterns in an effort to determine the intent, origin, and extent of the breach.

Bryant highlighted the complexity of the investigation and stressed that speculation is of no benefit to the investigation, and admitted that determining who is responsible could take a considerable amount of time, reinforcing the government's belief that the official narrative will be based only on substantiated findings. Consequently, authorities have not yet publicly verified the full extent of what information was accessed by this breach, which was detected by government monitoring systems in October. 

It is possible that tens of thousands of visa-related data entries are included in the breach, although there has been no official confirmation yet from the government. When the intrusion was discovered, international security advisories also noted that active exploitation of vulnerabilities affecting a series of Cisco firewalls, including Cisco firewalls manufactured by Cisco, was being detected by government agencies across the country, including the United States and Asia.

Even though the Cyber Security and Communication Centre (CISC) and the Foreign, Commonwealth and Development Office (FCDO) attacks occurred at almost the same time, the UK government has declined to confirm whether the CISC attack was caused by the same infrastructure vulnerabilities as FCDO or a known threat actor, citing the sensitivity of ongoing forensic investigations. 

The trade minister, Sir Chris Bryant, has made public remarks to Sky News acknowledging the compromise, stating that the government had been aware of the intrusion since October, but has cautioned against premature attribution to the cyber group Storm-1849. According to Bryant, the reports circulated are mostly speculative rather than evidence-based, adding that disclosure is limited due to the complexity and anticipated duration of the investigation, which remains unresolved. 

The department's technical response teams confirmed that the vulnerability that enabled the breach had been neutralised swiftly, describing the incident as a technical fault isolated to one of the department's web platforms. 

As a result of risk assessments, it appears that a low likelihood exists that individuals' data will be directly affected, as is the case with current risk assessments. After the intrusion was detected in October, the National Cyber Security Centre (NCSC) confirmed that it is coordinating closely with government departments to determine what operational and personal implications the breach might have, as it has been discovered that systems managed by the Foreign, Commonwealth and Development Office infrastructure have been accessed without authorization without authority, following its discovery. 

The trade minister, Sir Chris Bryant, spoke to national broadcasters and radio networks about the incident. He stressed that the security vulnerability had been swiftly addressed by government response units, and that early risk analysis suggests a low probability of individuals becoming materially affected as a result. Moreover, Bryant stressed the lack of veracity of claims made by foreign states to be involved in the intrusion, especially those linking the intrusion to Chinese actors or the Chinese state. 

According to Bryant, the investigation is at a stage in which only a limited amount of technical details can be divulged at present. A number of reports, including those published in The Sun, suggested that visa-related records may have been a target of the investigation, but the government hasn't provided any confirmation of scope or attribution. 

There has been a formal referral to the Information Commissioner's Office (ICO) of the incident, and the UK's data protection authority has been notified as well for regulatory review. The disclosure comes amid repeated warnings from UK intelligence agencies regarding the growing presence of state-linked espionage activities originating in China, spanning cyber campaigns and intelligence gathering to gather information about the political, commercial, and strategic affairs of the nation.

It has been reported by GCHQ publicly that its most significant national security focus is countering threats from China, which is greater than all other state adversaries when it comes to resources allocated to defensive purposes. According to Bryant's remarks released on Friday, government institutions remain persistent targets for outside cyber operations. In his remarks, he asserted that officials are still assessing the consequences of their actions, reaffirming that future statements will be based on validated findings, not speculation. 

It is expected that this breach will intensify the existing discussion around the government's digital transformation agenda, and the proposals to establish a national digital identity framework in particular. There is no doubt that government IT infrastructure is routinely tested for cybersecurity. However, the timing of the incident has given renewed momentum to those who have been critical of the consolidation of large amounts of identity data. 

There have been reports that centralised citizen authentication systems could be an attractive target for malicious cyber operators, as previously warned. This revelation coincides with an investigation by ITV News that highlighted security concerns surrounding One Login, which will be used to underpin digital identity services in the future. This investigation is part of an ongoing series of ITV News investigations highlighting security concerns associated with One Login. 

Originally documented by Computer Weekly earlier this year, these vulnerabilities were then examined in national media as well, putting a sustained focus on the system's security assurances. It is not surprising that the incident has taken place against a backdrop of disruptive cyber campaigns that have stretched far beyond Whitehall and into key commercial sectors. 

As of 2025, runsomware attacks caused Jaguar Land Rover (JLR) to halt production, affecting supply chains throughout the automobile industry. The Office for National Statistics then attributed part of the UK's November economic slowdown as a result of the operational paralysis caused by the breach. 

Several other major institutions, such as the Co-op and Marks & Spencer, have also confirmed they have been affected by significant cyber incidents, confirming what many analysts have said had been one of the most aggressive periods of online targeting the UK has faced in recent years. 

A coordinated attack on local government networks has disrupted services across four London councils, including the City of London, Hackney, Westminster, and Hammersmith and Fulham, three of whom share a unified IT service. In a later press conference, the NCSC confirmed that sensitive information could have been copied during the attack, prompting them to participate in further investigation as the broader implications of these shared public infrastructure vulnerabilities are assessed. 

A number of cyber threats targeting government and economic infrastructure are emerging rapidly, as evidenced by the incident. However, while the investigation into the Foreign Office breach continues, its broad implications go well beyond a single attack, making it even more important for the public sector to conduct proactive security audits, harden supply chains, and accelerate vulnerability disclosure protocols in order to avoid the same thing happening again. 

The analyst note that while shared infrastructure and centralised authentication platforms are extremely efficient in terms of operational efficiency, they require significantly higher level of safeguards, continuous penetration testing, and multilayered anomaly detection and mitigation procedures in order to mitigate systemic risks.

Despite the fact that the UK government has already signalled that it will increase defense resources through agencies such as the NCSC and GCHQ in order to enhance defence. However, experts argue that long-term resilience will be achieved by simultaneously investing in workforce capabilities, encrypting data compartmentalization, and collaborating with global coalitions that promote cybersecurity. 

It is also imperative for organizations and citizens alike to recognize that digital security is now intertwined with national stability as a matter of necessity. Public trust will be strengthened when emerging digital frameworks are not only responded to quickly, but they must also be transparent, responsible, and accountable to the community.

In order to maintain a sustainable digital governance environment, continued vigilance, structured incident reporting, as well as security-by-design implementation, remain the cornerstones.
Read more »
personal data security
700Credit data breach Cyberattacks Data Breach Data Leak Data protection data security Personal Data Breach personal data security

700Credit Data Breach Exposes Personal Information of Over 5.6 Million Consumers

 

A massive breach at the credit reporting firm 700Credit has led to the leakage of private details of over 5.6 million people, throwing a new set of concerns on the risk of third-party security in the financial services value chain. The firm has admitted that the breach was a result of a supply chain attack on one of its third-party integration partners and did not originate from an internal breach.  

According to the revelations made, this breach has its roots going back to late October 2025, when 700Credit noticed some unusual traffic associated with an exposed API. The firm has more than 200 integration partners who are connected to consumers’ data through APIs. It has been found that one of these partners was compromised as early as July 2025, but this notification was not made to 700Credit, thus leaving an opportunity for hackers to gain unlawful access to an API used for fetching consumers’ credit details from this API connected environment.  

700Credit called this attack a "sustained velocity attack" that began October 25 and continued for over two weeks before being completely contained. Although the company was able to disable their vulnerable API once aware of the attack, attackers had already harvested a large chunk of customer information by exploiting this security hole. The attack is estimated to have compromised 20 percent of available information that was accessed through this vulnerability. 

The compromised information comprises highly sensitive personal information like names, physical addresses, dates of birth, as well as Social Security numbers. Although 700Credit asserted that their primary internal systems as well as login credentials as well as mode of payment are safe from any breach, security experts have indicated that the compromised information is sufficient for identity theft, financial fraud, as well as targeted phishing attacks. Consequently, individuals in the company’s database have been advised to exercise vigilance against any unsolicited messages, especially if they purportedly come from 700Credit or related entities.  

The Attorney General, Dana Nessel, issued a consumer alert warning people not to brush off the notifications received when a breach has occurred, but to be proactive about protecting themselves against fraud using the services of freezing their credit or monitoring their profiles for unusual activity due to the large-scale release of sensitive data that has happened previously. 

In reaction to the incident, 700Credit has already started notifying affected consumers of the breach as a gesture of goodwill, offering two years of complimentary credit monitoring service, as well as offering complimentary credit reports to affected consumers. The company has also partnered with the National Automobile Dealers Association to assist with breach notification with the Federal Trade Commission for a joint notification on affected dealerships. 

Law enforcement agencies have been notified of the breach as part of the continued investigations. This vulnerability highlights the increasing danger of the supply chain vulnerability, especially in companies which have extensive networks in handling personal data of consumers.
Read more »
User Data
AI chat browser extension surveillance Chrome extensions harvesting data Data Breach Privacy Privacy Breach Proxy risk Urban VPN User Data

Inside the Hidden Market Where Your ChatGPT and Gemini Chats Are Sold for Profit

 

Millions of users may have unknowingly exposed their most private conversations with AI tools after cybersecurity researchers uncovered a network of browser extensions quietly harvesting and selling chat data.Here’s a reminder many people forget: an AI assistant is not your friend, not a financial expert, and definitely not a doctor or therapist. It’s simply someone else’s computer, running in a data center and consuming energy and water. What you share with it matters.

That warning has taken on new urgency after cybersecurity firm Koi uncovered a group of Google Chrome extensions that were quietly collecting user conversations with AI tools and selling that data to third parties. According to Koi, “Medical questions, financial details, proprietary code, personal dilemmas,” were being captured — “all of it, sold for ‘marketing analytics purposes.’”

This issue goes far beyond just ChatGPT or Google Gemini. Koi says the extensions indiscriminately target multiple AI platforms, including “Claude, Microsoft Copilot, Perplexity, DeepSeek, Grok (xAI) and Meta AI.” In other words, using any browser-based AI assistant could expose sensitive conversations if these extensions are installed.

The mechanism is built directly into the extensions. Koi explains that “for each platform, the extension includes a dedicated ‘executor’ script designed to intercept and capture conversations.” This data harvesting is enabled by default through hardcoded settings, with no option for users to turn it off. As Koi warns, “There is no user-facing toggle to disable this. The only way to stop the data collection is to uninstall the extension entirely.”

Once installed, the extensions monitor browser activity. When a user visits a supported AI platform, the extension injects a specific script — such as chatgpt.js, claude.js, or gemini.js — into the page. The result is total visibility into AI usage. As Koi puts it, this includes “Every prompt you send to the AI. Every response you receive. Conversation identifiers and timestamps. Session metadata. The specific AI platform and model used.”

Alarmingly, this behavior was not part of the extension’s original design. It was introduced later through updates, while the privacy policy remained vague and misleading. Although the tool is marketed as a privacy-focused product, Koi says it does the opposite. The policy admits: “We share the Web Browsing Data with our affiliated company,” described as a data broker “that creates insights which are commercially used and shared.”

The main extension involved is Urban VPN Proxy, which alone has around six million users. After identifying its behavior, Koi searched for similar code and found it reused across multiple products from the same publisher, spanning both Chrome and Microsoft Edge.

Affected Chrome Web Store extensions include:
  • Urban VPN Proxy – 6,000,000 users
  • 1ClickVPN Proxy – 600,000 users
  • Urban Browser Guard – 40,000 users
  • Urban Ad Blocker – 10,000 users
On Microsoft Edge Add-ons, the list includes:
  • Urban VPN Proxy – 1,323,622 users
  • 1ClickVPN Proxy – 36,459 users
  • Urban Browser Guard – 12,624 users
  • Urban Ad Blocker – 6,476 users
Despite this activity, most of these extensions carry “Featured” badges from Google and Microsoft. These labels suggest that the tools have been reviewed and meet quality standards — a signal many users trust when deciding what to install.

Koi and other experts argue that this highlights a deeper problem with extension privacy disclosures. While Urban VPN does technically mention some of this data collection, it’s easy to miss. During setup, users are told the extension processes “ChatAI communication” along with “pages you visit” and “security signals,” supposedly “to provide these protections.”

Digging deeper, the privacy policy spells it out more clearly: “‘AI Inputs and Outputs. As part of the Browsing Data, we will collect the prompts and outputs queried by the End-User or generated by the AI chat provider, as applicable.’” It also states plainly: “‘We also disclose the AI prompts for marketing analytics purposes.’”

The extensions, Koi warns, “remained live for months while harvesting some of the most personal data users generate online.” The advice is blunt: “if you have any of these extensions installed, uninstall them now. Assume any AI conversations you've had since July 2025 have been captured and shared with third parties.”

Read more »
RansomHouse
Askul Data Breach Data Theft Japanese Firm RansomHouse

Askul Confirms RansomHouse Ransomware Breach Exposed 740,000 Records

 

Japanese e-commerce giant Askul Corporation confirmed that a ransomware attack carried out by the RansomHouse group led to the theft of about 740,000 customer records in October 2025. Askul, which is a major supplier of office supplies and logistics services owned by Yahoo! Japan, suffered a critical failure within their IT system due to the breach, forcing the company to shut down shipments to customers, including the popular retail chain Muji. 

Compromised data includes approximately 590,000 business customer service records, 132,000 individual customer records, 15,000 records of business partners (outsourcers, agents, suppliers), and about 2,700 records of executives and employees across group companies. 

Detailed information about the breach is not being disclosed by Askul to avoid further exploitation. The company is trying to individually contact affected customers and partners. It has reported the incident to Japan's Personal Information Protection Commission and put in place long-term monitoring to mitigate the risk of misuse. 

The RansomHouse group is known to conduct both data exfiltration and encryption operations, and it announced the breach on October 30, followed by two data leaks on November 10 and December 2. An Askul investigation found that the breach occurred due to compromised authentication credentials related to an outsourced partner administrator account that did not have multi-factor authentication (MFA). After accessing the systems, the attackers performed reconnaissance, gathered authentication information, disabled EDR software, and moved laterally between servers to gain privileged access. 

Several types of ransomware were deployed; some were even capable of bypassing the EDR signatures of the time. This resulted in widespread data encryption and systemic outages. Another step the attackers took was to clear the backup files to further impede recovery. Askul severed connectivity to infected networks, isolated affected systems, updated EDR signatures, and implemented MFA for all critical systems. 

As of mid-December, Askul continues to face disruptions in order shipping and is working to fully restore its systems. The financial impact of the attack has not yet been estimated, and the company has postponed its scheduled earnings report to allow for a thorough assessment.
Read more »
Shinhan Card
Credit Card Data Breach Personal Information Regulatory Compliance Shinhan Card

Shinhan Card Faces Regulatory Review Over Internal Data Sharing Incident

 



Shinhan Card, one of South Korea’s largest credit card companies, has disclosed a data leak involving the personal information of approximately 192,000 merchants. The company confirmed the incident on Tuesday and said it has notified the Personal Information Protection Commission, the country’s data protection regulator.

The affected individuals are self-employed merchants who operate franchised businesses and had provided personal information during standard onboarding and contract procedures. According to Shinhan Card, the exposed data was limited in nature and did not include sensitive financial or identification details.

The company stated that information such as credit card numbers, bank account data, citizen registration numbers, and credit records were not compromised. Based on its current review, Shinhan Card said there is no evidence that the leaked information has been misused.


Incident Linked to Internal Handling, Not External Attack

Shinhan Card clarified that the incident did not involve hacking or unauthorized system access from outside the organization. Instead, the company believes the leak resulted from improper internal data handling.

Preliminary findings indicate that an employee at one of the company’s sales branches shared merchant information with a card recruiter for sales-related purposes. The data transfer reportedly violated internal policies governing the use and distribution of personal information.

The company said the internal channel used to transmit the data has since been blocked. An internal investigation was launched immediately after the issue was identified, and Shinhan Card is reviewing employee access controls and oversight mechanisms.

Most of the leaked records consisted of mobile phone numbers, accounting for around 180,000 cases. In approximately 8,000 instances, phone numbers were shared alongside merchant names. A smaller portion of the records also included additional personal details such as date of birth and gender.

Shinhan Card stated that its investigation did not uncover any cases where more sensitive personal or financial data was included in the leak. The company also said that no confirmed cases of fraud, identity theft, or other misuse linked to the exposed information have been reported to date.

The affected data belongs to merchants who signed agreements with Shinhan Card between March 2022 and May 2025.


Regulatory Notification and Review Process

The issue first came to the attention of authorities last month, when a report was submitted to the Personal Information Protection Commission. Following the initial notification, the regulator requested additional documentation to assess the scope of the incident and determine how the data was handled.

Shinhan Card formally reported the breach to the commission on December 23, in line with South Korea’s data protection disclosure requirements. The company said it continues to cooperate with the regulator as the review process remains ongoing.


Company Response and Merchant Guidance

In response to the incident, Shinhan Card issued a public apology and published detailed information through its website and mobile application. A dedicated service page has been made available to allow merchants to check whether their personal data was affected.

The company has advised merchants to remain cautious of suspicious calls, messages, or unsolicited contact attempts, even though no misuse has been confirmed so far. Shinhan Card said it is strengthening internal controls and reviewing how personal data is accessed and shared within the organization.

Regulatory authorities have not yet announced whether corrective measures or penalties will follow. Shinhan Card has said it will continue cooperating with the review while monitoring for any signs of misuse related to the exposed data.



Read more »
visa security
Data Breach e-visa system vulnerability Flaw passport data exposure Personal Data personal data leak Somalia Somalia cyber security Somalia data breach visa security

Security Flaw Exposes Personal Data on Somalia’s E-Visa System Weeks After Major Breach

 

A recently uncovered weakness in Somalia’s electronic visa system has triggered fresh alarm over the protection of travelers’ personal information, coming just weeks after authorities admitted to a large-scale data breach affecting tens of thousands of applicants. Findings indicate that the Somalia e-visa platform is missing basic security safeguards, allowing unauthorized access to and downloading of sensitive documents with little technical effort.

The vulnerability was confirmed this week by Al Jazeera following a tip from a source with professional web development experience. The source explained that flaws in the e-visa system could be exploited to extract large volumes of visa application files containing highly confidential data. This exposed information reportedly includes passport details, full names, and dates of birth, data that could be abused for criminal activities or intelligence purposes.

According to the source, evidence of the security lapse was shared with Al Jazeera, along with proof that Somali authorities had been formally notified about the vulnerability a week earlier. Despite these warnings, the source said there was no response from officials and no sign that corrective measures had been taken.

Al Jazeera independently confirmed the claims by recreating the flaw as described. During testing, journalists were able to download e-visa documents belonging to dozens of individuals in a short time. The affected records included applicants from multiple countries, such as Somalia, Portugal, Sweden, the United States, and Switzerland.

“Breaches involving sensitive personal data are particularly dangerous as they put people at risk of various harms, including identity theft, fraud, and intelligence gathering by malicious actors,” Bridget Andere, a senior policy analyst at the digital rights organization Access Now, said in comments to Al Jazeera. She added that such incidents go beyond technical shortcomings and can have long-term implications for personal safety and privacy.

New Vulnerability Surfaces After Earlier Mass Data Leak

This latest Somalia e-visa security issue emerges less than a month after officials announced an investigation into a prior cyberattack on the same system. That earlier breach drew warnings from both the United States and the United Kingdom. According to official alerts, personal data belonging to more than 35,000 Somalia e-visa applicants had been exposed. The US Embassy in Somalia previously said the leaked information included names, photographs, dates and places of birth, email addresses, marital status, and home addresses.

Following that incident, Somalia’s Immigration and Citizenship Agency (ICA) shifted the e-visa platform to a new web domain, stating that the move was intended to improve security. On November 16, the agency said it was treating the breach with “special importance” and confirmed that an investigation was underway. However, the emergence of a new vulnerability suggests that deeper security weaknesses may still persist.

Security Praise Contrasts With Legal Responsibilities

Earlier the same week, Somalia’s Defence Minister, Ahmed Moalim Figi, publicly commended the e-visa system, saying it had helped prevent ISIL (ISIS) fighters from entering the country amid ongoing military operations against a regional affiliate in northern Somalia.

“The government's push to deploy the e-visa system despite being clearly unprepared for potential risks, then redeploying it after a serious data breach, is a clear example of how disregard for people's concerns and rights when introducing digital infrastructures can erode public trust and create avoidable vulnerabilities,” Andere said. She also voiced concern that Somali authorities had not issued a public notice regarding the serious data breach reported in November.

Under Somalia’s data protection law, organizations handling personal data are required to inform the national data protection authority when breaches occur. In cases involving high risk, particularly where sensitive personal data is exposed, affected individuals must also be notified. “Extra protections should apply in this case because it involves people of different nationalities and therefore multiple legal jurisdictions,” Andere added.

Al Jazeera stated that it could not publish specific technical details of the newly discovered flaw because it remains unpatched and could be exploited further if disclosed. Any sensitive data accessed during the investigation was destroyed to safeguard the privacy of those impacted.
Read more »
UK Critical Infrastructure
Clop Ransomware Cybersecurity Dark Web Leak Data Breach Healthcare Cyber Attack Oracle Security Risks Ransomware attack Software Vulnerability UK Critical Infrastructure

Russian Hackers Obtain Sensitive NHS Documents from UK Royal Properties

 


In a recent cyberattack, a ransomware group affiliated with Russia infiltrated the NHS computer system and retrieved hundreds of thousands of highly sensitive medical records, including those associated with members of the royal family, triggering alarms in several parts of the United Kingdom.

A breach, which was first revealed by The Mail on Sunday, revealed that over 169,000 confidential medical documents, some of which contained high-profile patient information, were published on dark-web forums following a software vulnerability within NHS clinical infrastructure that was exploited. 

A number of sources indicated that the attackers took advantage of a software bug in healthcare software and were able to use ransomware and steal classified patient information from networks connected to several royal residences, including Buckingham Palace, Windsor Castle, Sandringham, and Clarence House, which serves as the official home of the King. 

It's important to note that the incident has raised concerns regarding national digital security, patient confidentiality and the ability of critical healthcare systems to withstand state-aligned cybercriminal activities as well as one of the most significant exposures of protected medical data in recent years. 

There has been increasing scrutiny of the NHS following the breach, as 169,000 confidential healthcare records have been discovered on dark web platforms after attackers exploited a software fault in the systems used within the national health network to conduct the intrusion. 

Additionally, reports indicated that the same group had accessed medical files stored in digital environments connected with several royal properties, including Buckingham Palace, Windsor Castle, Sandringham Estate, and Clarence House. This has led to increased concerns regarding how Royal Household records are safeguarded.

There has been no confirmation from the Royal Family as to who had sought treatment or what type of treatment they received, but it is understood that the leaked materials contain information relating to King Charles' ongoing cancer treatment, emphasizing the sensitivity of this issue. 

Cyber security experts had previously cautioned about the vulnerable software that had been compromised in October of last year, to the effect that Russian-aligned cyber operations were not just plausible, but also "highly likely," a risk that has now been confirmed by independent researchers. 

Following subsequent investigations by Google's security division and the GB News, it was determined that a hacking group referred to as Clop had earlier contacted senior executives across numerous organizations requesting money in exchange for withholding stolen data, and that they had asked for payment. It was ultimately not possible to prevent publication of the documents, which later became available online. 

Currently, it is widely recognized that the breach was part of a larger scheme of exploitation which impacted the BBC, as well as several Premier League football clubs, in addition to the breach. As a result, Barts NHS Health Trust has commenced legal action to prevent any further dissemination of this material, and authorities continue to investigate the full extent of the breach and its consequences. In addition to reviving concerns about the security of enterprise software embedded within critical UK institutions, the breach has also renewed earlier concerns about enterprise software security. 

The NHS, as well as the HM Treasury, both rely on Oracle platforms for their core functions in the areas of financial administration, human-resource workflows, payroll, and personnel management. It was reported by security analysts in October that several exploitable weaknesses in the software environment presented an attractive entry point for Russian-linked threat groups as well as a high probability of targeted exploitation occurring without immediate remediation if the flaws were not fixed. 

There was more evidence later to support the warnings that Google had issued on a ransomware collective known as Clop, which had distributed direct email communication to executives across a wide variety of organizations, claiming that sensitive information from their networks had been extracted by the ransomware collective. Google's threat-intelligence division reported that those reports had been strengthened by independent security research. 

It has been noted that in previous mass intrusions, the group was attempting to extort money in exchange for nondisclosure, a tactic similar to high-pressure extortion campaigns that were observed before. The subsequent leak has intensified debate over third-party software risk, supply-chain security, and the greater challenge of protecting a nation's infrastructure that is heavily reliant on widely used commercial platforms even though authorities did not confirm the alerts at that time. There are reports that health records have been compromised to the point of compromise. 

The disclosure of these health records arises during a particularly sensitive time for the monarchy. This follows King Charles's recent public health update indicating gradual progress in his ongoing cancer treatment. It was during a conversation with Channel 4's Stand Up To Cancer campaign, a joint campaign with Cancer Research UK, that the monarch, who had been diagnosed with an unknown form of cancer in February of last year and had first announced his condition publicly in January of this year, gave the monarch hope that, in the near future, his treatment schedule may be relaxed. 

As the King announced at Buckingham Palace this month, he expects his medical interventions to be reduced from beginning next year onwards, which is considered a cautiously optimistic development in his medical treatment. It was during the campaign that the King referred to the structure, regularity, and regularity of his treatment routine, revealing a very intimate insight into an aspect of the Royal Household which, until now, has remained virtually secret. 

It was intended that the update would raise awareness of cancer research and encourage national participation, but because of its timing, the update has inadvertently coincided with renewed concerns about the security of royal medical records. As a result, there has been an increased public debate about privacy, digital security, and the vulnerability of high-sensitivity health records connected to national figures, intensifying. 

It has been reported that public engagement in cancer awareness initiatives has surged in recent weeks following the King's televised appeal, and Cancer Research UK has reported that the number of people visiting its new Cancer Screening Checker has increased drastically. This service was introduced by the charity on 5 December to provide a straightforward way for consumers to compare cancer screening options available through the National Health Service and the Public Health Agency in Northern Ireland, along with personalised advice on eligibility for specific screening categories, and to provide them with the information that they need. 

In total, more than 100,000 people have used the tool to date, many of whom have done so as a result of King Charles sharing a video message on Friday in which he spoke candidly about his own cancer treatment journey on Channel 4’s Stand Up To Cancer programme. According to Michelle Mitchell, Chief Executive of Cancer Research UK, the King’s openness sparked unprecedented public interest, and this led to an unprecedented increase in public interest.

A major part of her argument was that most visits to the checker were made after the monarch discussed his diagnosis and routine care, when national attention was focused on early detection and screening. As a result of the rapid uptake of the service, it is evident that the public is becoming increasingly willing to seek verified health information, as well as the effect high-profile advocacy has on increasing participation in preventive healthcare services.

With the incident, it has become increasingly important for national institutions to balance digital innovation with defensive readiness, particularly when core public services are delivered through commercial infrastructure that is shared among them. In addition to immediate containment, cybersecurity advisors emphasize that maintaining sustained vigilance, releasing vulnerabilities and accelerating software patch cycles are imperative for critical sectors like healthcare, finance, and public administration as well. 

According to security experts, organizations should move towards layered security frameworks that combine encrypted records segmentation, zero-trust access policies, and continual simulations of ransomware attacks to mitigate both the likelihood and impact of future intrusions. The breach emphasizes that cyber literacy at the leadership level is urgently needed in order to assist executives in recognizing extortion tactics before their negotiations reach crisis point. This will help executive managers identify extortion tactics as soon as possible during negotiations. 

After this incident, there is a renewed awareness among the people about the fragility of personal data once it reaches the outside world. This emphasizes the importance of engaging with only reliable health platforms and exercising caution when dealing with unsolicited communications. 

A study is still in progress, but analysts note that the outcome of this breach might influence the way in which a stronger regulatory push is made to ensure software supply chain accountability and real-time threat intelligence sharing across UK institutions. Those lessons that can be drawn from this compromise will ultimately strengthen both policy and practice in an era of persistent, borderless cyber threats, reshaping the country's ability to protect its most sensitive digital assets.
Read more »
Personal Data
Cyber Scams Data Breach Data Leak data security Data Stealer data stealing Infostealer Malware Malwares Personal Data

AuraStealer Malware Uses Scam Yourself Tactics to Steal Sensitive Data

 

A recent investigation by Gen Digital’s Gen Threat Labs has brought attention to AuraStealer, a newly emerging malware-as-a-service offering that has begun circulating widely across underground cybercrime communities. First observed in mid-2025, the malware is being promoted as a powerful data-stealing tool capable of compromising a broad range of Windows operating systems. Despite its growing visibility, researchers caution that AuraStealer’s technical sophistication does not always match the claims made by its developers. 

Unlike conventional malware campaigns that rely on covert infection techniques such as malicious email attachments or exploit kits, AuraStealer employs a strategy that places users at the center of their own compromise. This approach, described as “scam-yourself,” relies heavily on social engineering rather than stealth delivery. Threat actors distribute convincing video content on popular social platforms, particularly TikTok, presenting the malware execution process as a legitimate software activation tutorial. 

These videos typically promise free access to paid software products. Viewers are guided through step-by-step instructions that require them to open an administrative PowerShell window and manually enter commands shown on screen. Instead of activating software, the commands quietly retrieve and execute AuraStealer, granting attackers access to the victim’s system without triggering traditional download-based defenses. 

From an analysis perspective, AuraStealer incorporates multiple layers of obfuscation designed to complicate both manual and automated inspection. The malware disrupts straightforward code execution paths by dynamically calculating control flow at runtime, preventing analysts from easily tracing its behavior. It also leverages exception-based execution techniques, intentionally generating system errors that are intercepted by custom handlers to perform malicious actions. These tactics are intended to confuse security sandboxes and delay detection. 

Functionally, AuraStealer targets a wide range of sensitive information. Researchers report that it is designed to harvest data from more than a hundred web browsers and dozens of desktop applications. Its focus includes credentials stored in both Chromium- and Gecko-based browsers, as well as data associated with cryptocurrency wallets maintained through browser extensions and standalone software. 

One of the more concerning aspects of the malware is its attempt to circumvent modern browser protections such as Application-Bound Encryption. The malware tries to launch browser processes in a suspended state and inject code capable of extracting encryption keys. However, researchers observed that this technique is inconsistently implemented and fails across multiple environments, suggesting that the malware remains technically immature. 

Despite being sold through subscription-based pricing that can reach several hundred dollars per month, AuraStealer contains notable weaknesses. Analysts found that its aggressive obfuscation introduces detectable patterns and that coding errors undermine its ability to remain stealthy. These shortcomings provide defenders with opportunities to identify and block infections before significant damage occurs. 

While AuraStealer is actively evolving and backed by ongoing development, its emergence highlights a broader trend toward manipulation-driven cybercrime. Security professionals continue to emphasize that any online tutorial instructing users to paste commands into a system terminal in exchange for free software should be treated as a significant warning sign.
Read more »
Third Party Risk
API security Automotive Cybersecurity Consumer Data Exposure Credit Monitoring Data Breach identity theft protection phishing threats Supply Chain Attack Third Party Risk

Credit Monitoring Provider Discloses Breach Impacting 5.6 Million Users


A data breach usually does not lend itself to straightforward comparisons, as each occurrence is characterized by distinctive circumstances and carries different consequences for those involved. It is common for headlines to emphasize the scale of an attack, the prominence of the organization that was affected, or the attack method used by the attacker, but in reality, the real significance of a breach lies in the sensitivity of the compromised data, along with the actions that are taken to correct it. 

It was apparent from a disclosure issued by 700Credit, a U.S.-based company that provides consumer information, preliminary credit checks, identity verifications, fraud detections, and compliance solutions for auto, recreational, powersport, and marine dealerships. As a result of a third-party supply-chain attack that occurred late in October 2025, the company confirmed that personally identifiable information had been accessed by unauthorized people through the use of a third-party supply chain. 

It has been revealed that the exposed data includes names, residential addresses, dates of birth, and Social Security numbers, all collected between May and October of the year. Based on the information provided by the agency, approximately 5.6 million people are expected to have been affected by the incident, making it one of the most substantial credit-related data breaches of the year, emphasizing the risks associated with retaining data for a long period of time and relying on external service providers. 

A 700Credit representative confirmed that the compromised information was the result of a breach of a database provided by auto dealerships between May and October 2025 as a result of regular credit verification and identity verification processes. 

Despite acknowledging that the precise technical details of how the intrusion was conducted have not yet been fully determined, the company has attributed the incident to an unidentified threat actor. Although there is no official word on who is affected, it has been revealed that those individuals whose personal data was processed by 700Credit for dealership clients have been brought into focus as data-handling risks arise across the entire automotive retail ecosystem. 

There are broader concerns raised about supply-chain exposures and the downstream impact of such events on consumer confidence, particularly when it comes to sensitive financial and identity-related information that has been disclosed. 

A Michigan Attorney General said that recipients of breach notification letters should not dismiss the letters in response to the disclosure, stressing that taking swift protective measures, such as freezing the credit history and enrolling in credit monitoring services, was critical to reducing the risk of identity theft and fraud that can result from the exposure to the breach. 

However, despite moving quickly to disable the exposed application programming interface (API), 700Credit acknowledged that, in spite of taking steps to prevent threats from accessing consumer records, threat actors were able to extract a significant percentage of them. The company estimates that approximately 20 percent of the affected datasets were accessed, which comprised extremely sensitive data such as names, addresses, birthdates, and Social Security numbers. 

In spite of the fact that 700Credit confirmed that its internal systems, payment platforms, and login credentials were unhacked, cybersecurity experts noted that the stolen data, in both quantity and nature, could still be utilized by phishing and social engineering companies to conduct highly convincing scams. 

Because of this, consumers and dealership clients have been advised to be vigilant when receiving unsolicited communications, especially those that appear to be from 700Credit or its partners, as well as any messages purported to have originated with the company. In addition to the details reported by CBTNews, it is clear that the breach is the result of a compromised integrated partner not alerting 700Credit in a timely manner after they became aware of the breach. 

Researchers have determined that attackers exploited vulnerabilities in the API validation process, which allowed malicious requests to be masked as legitimate partner traffic by exploiting vulnerabilities in the API validation process. An independent forensic analysis confirmed that the intrusion did not extend into 700Credit's internal network or core operational infrastructure, but rather was confined to the application layer through third-party API integration. 

Furthermore, experts concluded that attackers had been able to carry out the majority of the damage without compromising internal systems, underscoring the persistency of security gaps in API-driven architectures, particularly in modern times. 

According to 700Credit, in response, its API inspection controls have been strengthened, the validation framework is now more secure, the insurance coverage for cybersecurity has been expanded, and external cybersecurity firms have been engaged to assess residual risks and mitigate them, all while maintaining uninterrupted service to dealership clients throughout the investigation. 

Additionally to the technical remediation, 700Credit began a coordinated regulatory notification and response involving multiple authorities as well. For compliance with federal Safeguards Rule requirements, the company reported the incident to the Federal Bureau of Investigation and the Federal Trade Commission and also notified the FTC a consolidated breach notification on behalf of the affected dealer clients. 

Upon receiving written notifications of a breach of the Federal Safeguards Rule beginning December 22, 2025, impacted individuals were offered a 12-month free credit monitoring program from TransUnion and identity restoration services as part of the offer. Moreover, as part of the ongoing efforts to resolve consumer and dealer concerns, the company has also been in touch with the National Automobile Dealers Association and has notified state attorneys general throughout the country. 

A dedicated hotline was also established to address the concerns of consumers and dealers. In addition, the Michigan Attorney General issued a public consumer alert after an estimated 160,000 Michigan residents were identified as being affected by the fraud. They advised recipients to not ignore notification letters and to take immediate precautionary measures, such as putting a credit freeze on their credit report, signing up to a monitoring service, updating their passwords and enabling multifactor authentication, as soon as possible. 

Earlier this month, Michigan Attorney General Dana Nessel sent a consumer advisory explaining why people should not shrug off correspondence from 700Credit, emphasizing that taking prompt action can significantly reduce the risk of downstream fraud occurring as a result of this situation. 

According to her, victims should consider placing a credit freeze on their credit cards or registering for credit monitoring services, as these can serve as effective first-line defenses against identity theft, so that they may be able to protect themselves effectively. 

Moreover, Nessel emphasized the importance of being alert to potential phishing attempts, strengthening or changing passwords, removing unnecessary data stored on devices and enabling multi-factor authentication across all online services and devices. To be able to identify any suspicious activity as soon as possible, she also advised regularly reviewing credit reports from TransUnion as well as Equifax and Experian. 

As security expert Hill pointed out, the investigation revealed that the automotive retail sector was not adequately prepared in terms of cybersecurity, as highlighted by several industry perspectives. It has been discovered that several large dealerships have well-established security frameworks in place, including continuous monitoring and internal "red team" exercises which test defenses. However, smaller and mid-sized businesses lack the resources necessary to implement the same level of security measures. 

The author warned that these gaps can result in systemic risks within shared data networks, and advised dealerships to increase security awareness, better understand emerging threats, and evaluate the cybersecurity posture of third party partners that may have access to consumer information in a more detailed manner. 

As a whole, the 700Credit breach indicates how cyber risk is distributed across multiple interconnected industries, where vulnerabilities in one partner can ripple outward so that millions of individuals and hundreds of businesses are affected. 

As investigations and notifications continue, it will probably prompt an increased focus on third-party risk management, particularly in sectors which are heavily dependent on the sharing of data and the integration of real-time data. It is important for consumers to maintain vigilance, even after taking initial measures to prevent identity-based fraud, as identity-based fraud often emerges well after the original attack has been made. 

For dealerships and service providers, the breach serves as an alarming example of the need for cybersecurity governance to extend beyond internal systems to include vendors, integrations, and data lifecycle controls, in addition to internal systems. 

In addition to proactive investments in security assessments, employee training, and transparency, analysts note that proactive investments can help minimize both technical exposure and reputational damage in the automotive industry.

It is ultimately up to whether the lessons learned from the incident translate into stronger safeguards and more resilient data practices in the credit monitoring industry as well as automotive retail to determine the long-term impact of the incident.
Read more »
Subscribe to: Comments (Atom)