Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Data Breach. Show all posts
United States
Allianz Life Data Breach Insurance Company United States

Allianz Data Breach Exposes 1.4 Million Customers — What You Should Do

 



Nearly 1.4 million people in the United States have had their personal information exposed in a recent cyberattack on the Allianz Life Insurance Company of North America.

The breach, which took place on July 16, was carried out through a third-party cloud-based customer management system. Hackers used social engineering (tricking people into giving away access) to break in : a method that has also been used in several other high-profile attacks on insurance and healthcare companies.

Allianz discovered the intrusion a day later, on July 17, and quickly notified federal authorities, including the FBI. The company has stressed that the attack only affected its U.S. branch and that its main systems and networks remain secure.

What information was stolen?

Allianz has not confirmed the exact types of data taken. However, life insurance records usually contain highly sensitive details such as Social Security numbers, birthdates, and financial information. In addition to customers, the data of financial advisors and some employees may also have been exposed.

At this stage, the attackers have not made ransom demands, and the company has not revealed who is behind the incident. Some cybersecurity experts believe the group Scattered Spider, known for targeting insurance firms with similar tactics, may be responsible.

Company response

Allianz says the security flaw has now been fixed, and it has started contacting affected individuals. According to documents filed with the Maine Attorney General’s office, the company will provide two years of free identity theft protection to those impacted.


What you should do if you’re affected

Even though Allianz is offering help, individuals should take their own precautions after a breach:

1. Use identity theft protection services: These services monitor personal data and provide insurance against fraud. It’s best to sign up before becoming a victim.

2. Stay alert for phishing scams: Avoid clicking on suspicious links, QR codes, or email attachments from unknown senders.

3. Monitor your accounts closely: Regularly check bank accounts, insurance records, and credit reports for unusual activity.

4. Be cautious online: Social engineering often involves scammers pretending to be helpful contacts or offering opportunities that seem “too good to be true.”

Practicing strong “cyber hygiene” — being alert, updating security software, and knowing the signs of scams can make a big difference.


What comes next

The investigation is still ongoing, and Allianz has promised to share more details as they emerge, including exactly what type of personal information was exposed. Those affected will likely receive official notification letters by mail.

For now, staying alert and taking preventive steps is the best way to reduce risk after this large-scale data breach.

Read more »
Ransomware
Data Breach Data Privacy Digital Personal Double extortion Healthcare cybersecurity Misconfiguration Patient Ransomware

Over a Million Healthcare Devices Hit by Cyberattack

 


Despite the swell of cyberattacks changing the global threat landscape, Indian healthcare has become one of the most vulnerable targets as a result of these cyberattacks. There are currently 8,614 cyberattacks per week on healthcare institutions in the country, a figure that is more than four times the global average and nearly twice that of any other industry in the country. 

In addition to the immense value that patient data possesses and the difficulties in safeguarding sprawling healthcare networks, the relentless targeting of patients reflects the challenges that healthcare providers continue to face healthcare providers. With the emergence of sophisticated hacktivist operations, ransomware, hacking attacks, and large-scale data theft, these breaches are becoming more sophisticated and are not simply disruptions. 

The cybercriminal business is rapidly moving from traditional encryption-based extortion to aggressive methods of "double extortion" that involve stealing and then encrypting data, or in some cases abandoning encryption altogether in order to concentrate exclusively on exfiltrating data. This evolution can be seen in groups like Hunters International, recently rebranded as World Leaks, that are exploiting a declining ransom payment system and thriving underground market for stolen data to exploit its gains. 

A breach in the Healthcare Delivery Organisations' system risks exposing vast amounts of personal and medical information, which underscores why the sector remains a target for hackers today, as it is one of the most attractive sectors for attackers, and is also continually targeted by them. Modat, a cybersecurity firm that uncovered 1.2 million internet-connected medical systems that are misconfigured and exposed online in August 2025, is a separate revelation that emphasises the sector's vulnerabilities. 

Several critical devices in the system were available, including imaging scanners, X-ray machines, DICOM viewers, laboratory testing platforms, and hospital management systems, all of which could be accessed by an attacker. Experts warned that the exposure posed a direct threat to patient safety, in addition to posing a direct threat to privacy. 

In Modat's investigation, sensitive data categories, including highly detailed medical imaging, such as brain scans, lung MRIs, and dental X-rays, were uncovered, along with clinical documentation, complete medical histories and complete medical records. Personal information, including names, addresses and contact details, as well as blood test results, biometrics, and treatment records, all of which can be used to identify the individual.

A significant amount of information was exposed in an era of intensifying cyber threats, which highlights the profound consequences of poorly configured healthcare infrastructure. There has been an increasing number of breaches that illustrate the magnitude of the problem. BlackCat/ALPHV ransomware group has claimed responsibility for a devastating attack on Change Healthcare, where Optum, the parent company of UnitedHealth Group, has reportedly paid $22 million in ransom in exchange for the promise of deleting stolen data.

There was a twist in the crime ecosystem when BlackCat abruptly shut down, retaining none of the payments, but sending the data to an affiliate of the RansomHub ransomware group, which demanded a second ransom for the data in an attempt to secure payment. No second payment was received, and the breach grew in magnitude as each disclosure was made. Initially logged with the U.S. Health and Human Services (HHS) officials had initially estimated that the infection affected 500 people, but by July 2025, it had reached 100 million, then 190 million, and finally 192.7 million individuals.

These staggering figures highlight why healthcare remains a prime target for ransomware operators: if critical hospital systems fail to function correctly, downtime threatens not only revenue and reputations, but the lives of patients as well. Several other vulnerabilities compound the risk, including ransomware, since medical IoT devices are already vulnerable to compromise, which poses a threat to life-sustaining systems like heart monitors and infusion pumps. 

Telehealth platforms, on the other hand, extend the attack surface by routing sensitive consultations over the internet, thereby increasing the scope of potential attacks. In India, these global pressures are matched by local challenges, including outdated legacy systems, a lack of cybersecurity expertise, and a still-developing regulatory framework. 

Healthcare providers rely on a patchwork of frameworks in order to protect themselves from cybersecurity threats since there is no unified national healthcare cybersecurity law, including the Information Technology Act, SPDI Rules, and the Digital Personal Data Protection Act, which has not been enforced yet.

In their view, this lack of cohesion leaves organisations ill-equipped for future threats, particularly smaller companies with limited budgets and under-resourced security departments. In order to address these gaps, there is a partnership between the Data Security Council of India and the Healthcare Information and Management Systems Society (HIMSS) that aims to conduct a national cybersecurity assessment. As a result of the number of potentially exposed pieces of information that were uncovered as a result of the Serviceaide breach, it was particularly troubling. 

Depending on the individual, the data could include information such as their name, Social Security number, birth date, medical records, insurance details, prescription and treatment information, clinical notes, provider identifications, email usernames, and passwords. This information would vary by individual. As a response, Serviceaide announced that it had strengthened its security controls and was offering 12 months of complimentary credit and identity monitoring to affected individuals. 

There was an incident at Catholic Health that resulted in the disclosure that limited patient data was exposed by one of its vendors. According to the organisation's website, a formal notification letter is now being sent to potentially affected patients, and a link to the Serviceaide notice can be found on the website. No response has been received from either organisation regarding further information. 

While regulatory authorities and courts have shown little leniency in similar cases, in 2019, Puerto Rico-based Inmediata Health Group was fined $250,000 by the HHS' Office for Civil Rights (OCR) and later settled a lawsuit for more than $2.5 million with the state attorneys general and class actions plaintiffs after a misconfiguration resulted in 1.6 million patient records being exposed. As recently as last week, OCR penalised Vision Upright MRI, a small California imaging provider, for leaving medical images, including X-rays, CT scans, and MRIs, available online through an unsecured PACS server. 

A $5,000 fine and an action plan were awarded in this case, making the agency's 14th HIPAA enforcement action in 2025. The cumulative effect of these precedents illustrates that failing to secure patient information can lead to significant financial, regulatory, and reputational consequences for healthcare organisations. It has become increasingly evident that the regulatory consequences of failing to safeguard patient data are increasing as time goes on. 

Specifically, under the Health Insurance Portability and Accountability Act (HIPAA), fines can rise to millions of dollars for prolonged violations of the law, and systemic non-compliance with the law can result. For healthcare organisations, adhering to the regulations is both a financial and ethical imperative. 

Data from the U.S. As shown by the Department of Health and Human Services' Office for Civil Rights (OCR), enforcement activity has been steadily increasing over the past decade, with the year 2022 marking a record number of penalties imposed. OCR's Right of Access Initiative, launched in 2019, aims to curb providers who fail to provide patients with timely access to their medical records in a timely manner. 

It has contributed a great deal to the increase in penalties. There were 46 penalties issued for such violations between September 2019 and December 2023 as a result of enforcement activity. Enforcement activity continued high in 2024, as OCR closed 22 investigations with fines, even though only 16 of those were formally announced during that year. The momentum continues into 2025, bolstered by an increased enforcement focus on the HIPAA Security Rule's risk analysis provision, traditionally the most common cause of noncompliance. 

 Almost ten investigations have already been closed by OCR with financial penalties due to risk analysis failures as of May 31, 2025, indicating the agency's sharpened effort to reduce the backlog of data breach cases while holding covered entities accountable for their failures. It is a stark reminder that the healthcare sector stands at a crossroads between technology, patient care, and national security right now as a result of the increasing wave of cyberattacks that have been perpetrated against healthcare organisations. 

 Hospitals and medical networks are increasingly becoming increasingly dependent on the use of digital technologies, which means every exposed database, misconfigured system, or compromised vendor creates a greater opportunity for adversaries with ever greater resources, organisation, and determination to attack them. In the absence of decisive investments in cybersecurity infrastructure, workforce training, and stronger regulatory frameworks, experts warn that breaches will not only persist but will intensify in the future. 

A growing digitisation of healthcare in India makes the stakes even higher: the ability to preserve patient trust, ensure continuity of care, and safeguard sensitive health data is what will determine if digital innovation becomes a valuable asset or a liability, particularly in this country. In the big picture, it is also obvious that cybersecurity is no longer a technical afterthought but has evolved into a pillar of healthcare resilience, where failure has a cost that goes far beyond fines and penalties, and concerns involving patient safety as well as the lives of people involved.
Read more »
university of West Australia
Cybersecurity Data Breach Password university of West Australia

University of Western Australia Hit by Cybersecurity Breach

 


The University of Western Australia (UWA) has confirmed a concerning cybersecurity incident that left thousands of staff, students, and visitors temporarily locked out of their accounts after hackers gained access to password data.

The breach was detected late Saturday, prompting UWA to immediately restrict access and require all users to reset their passwords. University officials stressed that the action was taken as a precaution to limit further risks.

Fiona Bishop, the university’s Chief Information Officer, explained that a critical response team was quickly formed to deal with the issue. According to her, IT staff worked through the night and across the weekend to reset login details and secure systems. She described the process of tracking the breach as “like following footprints in the sand,” suggesting that while there were signs of unauthorized entry, the full picture would take time to uncover.

At this stage, UWA says there is no evidence that any information beyond passwords was stolen. The investigation is ongoing, and authorities have not identified the source of the attack. Importantly, Bishop confirmed that there has been no indication of ransomware involvement, meaning no group has made contact to demand payment.

To reduce the impact on students, the university granted a three-day extension on assessment deadlines while systems were being restored. Bishop expressed appreciation for the quick efforts of the IT team, noting they worked “feverishly” to get operations back on track.

Despite the disruption, UWA has reassured its community that teaching and classes will continue as scheduled. Support teams are still assisting staff and students with password resets and will remain available until the situation is fully resolved.

Bishop also acknowledged the broader issue of cyberattacks in higher education. “Universities hold enormous amounts of valuable data, and the sector has increasingly become a target as it becomes more digital,” she said. She added that cyber threats against universities are ongoing and continue to grow in scale.

UWA has pledged to strengthen its security systems following the breach and emphasized its commitment to protecting personal information. For now, the priority remains ensuring that all users can safely access their accounts and resume their academic and professional work without interruption.

Read more »
SBI credit card fraud
₹2.6 crore scam Data Breach Delhi Police arrests Gurugram call centre data leak SBI credit card fraud

18 Arrested in ₹2.6 Crore SBI Credit Card Fraud, Data Leaked from Gurugram Call Centre

 

The Delhi Police announced on Saturday that 18 people have been arrested for allegedly duping State Bank of India (SBI) credit card holders across multiple states of nearly ₹2.6 crore. Interestingly, the syndicate avoided targeting customers in Delhi during their six-month-long operation.

According to investigators, the accused gained access to confidential customer information through insiders at a Gurugram-based call centre. They impersonated SBI executives and persuaded victims to share sensitive details such as OTPs and CVV numbers.

“The syndicate then used the stolen credentials to buy electronic gift cards from platforms like online travel booking platforms, which were subsequently sold to travel agents. The proceeds were laundered through cash and cryptocurrency channels, primarily Tether (USDT),” said Vinit Kumar, Deputy Commissioner of Police (IFSO).

Officials revealed that the scam involved insider leaks at the authorised Card Protection Plan (CPP) call centre, Teleperformance, in Gurugram. Employees allegedly siphoned off confidential SBI credit card data and passed it to the fraudsters.

Using the stolen information, the gang immediately purchased high-value e-gift cards, which were either sold to travel agents for cash or converted into cryptocurrency, making the money trail almost impossible to trace, police said.

The arrested individuals include the alleged masterminds Ankit Rathi, Waseem, and Vishal Bhardwaj, along with call centre staff Vishesh Lahori and Durgesh Dhakad, accused of leaking customer data. Several other members handled operations, finances, and SIM card procurement.

During the crackdown, police seized 52 mobile phones, multiple SIM cards, and detailed customer banking information.

Authorities further noted that the probe has highlighted serious concerns regarding large-scale data leaks from Teleperformance. “The investigation has also raised concerns about large-scale data leaks from Teleperformance, a Gurugram-based call centre handling critical banking information. The breach exposes the company's inability to safeguard confidential data and raises urgent questions about its security protocols,” police stated.
Read more »
Microsoft vulnerability
CBC CVSS CyberCrime Cyberhacks Data Breach Hackers Hackers Breach Microsoft Flaw Microsoft vulnerability

Microsoft Flaw Blamed as Hackers Breach Canada’s House of Commons

 


In a recent security incident involving Canada's parliamentary network, hackers exploited a recently released Microsoft vulnerability to breach the House of Commons network, shaking up the country's parliament. 

According to an internal e-mail obtained by CBC News, the intrusion occurred on Friday and affected a database that was used to manage computers and mobile devices. The data revealed in the email included names, titles, email addresses, and details about computers and mobile devices, including operating systems, model numbers, and telephone numbers. 

Officials have not been able to link the attack with any nation-state or criminal group, but questions remain as to whether additional sensitive information has been accessed. According to a statement from Olivier Duhaime, spokesperson for the Speaker's Office, the House of Commons is cooperating closely with its national security partners to conduct an investigation. However, he declined to provide further information due to security concerns. 

An unauthorised actor gained access to the House's systems, which was first reported by CBC News on Monday, leading to the public discovery of the breach. According to an internal email of the intruders, they exploited a recent Microsoft vulnerability in order to gain access to parliamentary computers and mobile devices. 

There was a lot of information exposed, including employee names, job titles, office locations, e-mail addresses, as well as technical information about devices controlled by the House. A cybersecurity agency such as Canada's Communications Security Establishment (CSE) has joined the investigation, although no one knows who the attackers are. 

According to the CSE, a threat actor is defined as any entity seeking to disrupt or access a network without authorisation. In a recent report, the agency warned that foreign nations like China, Russia, and Iran are increasingly targeting Canadian institutions, despite this fact. Nevertheless, no attribution has been established in this case, and officials have cautioned against using the compromised information for scams, impersonation, or further invasions. 

According to Canada's latest Cyber Threat Assessment, the country faces an ever-increasing exposure to digital threats, and it is described as a "valuable target" for both state-sponsored adversaries and criminals who are financially motivated to do so. In the last two years, the Canadian Centre for Cyber Security has reported a significant increase in the number and severity of cyber-attacks, with a warning that state actors are increasingly aggressive. 

It has also been noted that cybercriminals are increasingly using illicit business models and artificial intelligence to expand their capabilities, according to Rajiv Gupta, head of the centre. Chinese cyber threats pose the greatest threat to Canada, according to the report, and it indicates that at least 20 government networks were compromised by threat actors affiliated with the People's Republic of China over the past four years.

The House of Commons incident is likely to be linked to a recently exploited zero-day Microsoft SharePoint vulnerability, which is known as CVE-2025-53770, although officials have not confirmed which particular flaw was exploited. During the exploitation of untrusted data in on-premises SharePoint Server, a vulnerability that has a CVSS score of 9 was discovered, which could allow an attacker to remotely execute code. 

The vulnerability has been reported by Viettel Cyber Security through Trend Micro’s Zero Day Initiative since July. Since then, the vulnerability has been actively exploited, which prompted Microsoft to issue a warning and recommend immediate measures to mitigate the problem while a full patch is being prepared. As a result of the breach of parliament, members and staff have been urged to stay vigilant against potential scams. 

The incident occurs at a time when Canada is facing an escalation of cyber threats that are becoming increasingly sophisticated as both adversaries and financially motivated criminals are increasingly leveraging advanced tools and artificial intelligence in order to gain an edge over their adversaries. During the past four years, the federal government has confirmed at least 20 network compromises linked to Beijing, indicating that China is the most sophisticated and active threat actor. 

There is an increasing pressure on Canada's critical infrastructure due to recent incidents like the hack on WestJet in June that disrupted both the airline's internal systems as well as its mobile application. Initially discovered in May, this vulnerability, which was confirmed to be actively exploited in late July, can allow the attacker to execute code remotely, allowing them to gain access to all SharePoint content, including sensitive configurations and internal file systems. 

As Costis pointed out, many major organisations, including Google and the United States, have recently been breached as a result of vulnerabilities in Microsoft platforms like Exchange and SharePoint. Several ransomware groups, including Salt Typhoon and Warlock, have been reported to have exploited these vulnerabilities by targeting nearly 400 organisations worldwide as a result of these campaigns.

In addition, the United States Cybersecurity and Infrastructure Security Agency (CISA) has also warned about the vulnerability, known as the “ToolShell” vulnerability. It was warned earlier this month that the vulnerability could enable not only unauthenticated access to systems, but also authenticated access to them through the use of network spoofing. This type of exploit could allow attackers to take complete control of SharePoint environments, including file systems and internal configurations. 

A Mandiant CEO, Charles Carmakal, emphasised on LinkedIn that it is not just about applying Microsoft's security patch, but about taking steps to mitigate this risk along with implementing Mitigation strategies, in addition to applying Microsoft's security patch. It was reported by Microsoft in a July blog post that nation-state actors based in China have been actively trying to exploit the vulnerability, including Linen Typhoon, Violet Typhoon, and possibly Storm-2603, among others. 

The group has historically targeted the intellectual property of governments, the defence sector, the human rights industry, strategic planning, higher education, as well as the media, finance, and health sectors throughout North America, Europe, and Asia. It has been reported that Linen Typhoon is known for its "drive-by compromises" that exploit existing vulnerabilities, whereas Violet Typhoon constantly scans exposed web infrastructure to find weaknesses, according to Microsoft. 

The House of Commons breach echoes a growing trend of security concerns linked to enterprise technologies that have been widely deployed in the past few years. As a result, government and corporate systems have become increasingly fragile. Because Microsoft platforms are omnipresent, security analysts argue that they provide adversaries with a high-value entry point that can have far-reaching consequences when exploited by adversaries. 

The incident highlights how, not only is it difficult to safeguard sensitive parliamentary data, but also to deal with systemic risks that cross critical sectors such as aviation, healthcare, finance, and higher education when they are exploited. There is an argument to be made that in order to achieve this goal, it will require not only timely patches and mitigations, but a cultural shift as well—one that integrates intelligence sharing, proactive threat hunting, and ongoing investments in cyber defence—along with the ongoing use of cyber defence technologies. 

Even though global threat actors are growing in strength and opportunity, the incident serves as a reminder that it is vital that national institutions are protected with vigilance that matches the sophistication and scale of their adversaries.
Read more »
Remote Workers
Data Breach Data Leak Data protection data security IT workers Job Scams North Korea North Korea Hackers Remote Workers

Leaked Data Exposes Daily Lives of North Korean IT Workers in Remote Work Scams

 

A recent data leak has shed rare light on the hidden world of North Korean IT workers who carry out remote work scams worldwide. The revelations not only expose the highly organized operations of these state-sponsored workers but also offer an unusual glimpse into their demanding work culture and limited personal lives.  

According to the leak, North Korean IT operatives rely on a mix of fraudulent digital identities and sophisticated tools to infiltrate global companies. Using fake IDs, resumes, and accounts on platforms such as Google, GitHub, and Slack, they are able to secure remote jobs undetected. To conceal their location, they employ VPNs and remote access programs like AnyDesk, while AI-powered deepfakes and writing assistants assist in polishing resumes, generating fake profiles, and handling interviews or workplace communication in English. 

The documents reveal an intense work environment. Workers are typically expected to log a minimum of 14 hours per day, with strict quotas to meet. Failure to achieve these targets often results in even longer working hours. Supervisors keep close watch, employing surveillance measures like screen recordings and tight control over personal communications to ensure productivity and compliance. 

Despite the pressure, fragments of normalcy emerge in the leaked records. Spreadsheets point to organized social activities such as volleyball tournaments, while Slack messages show employees celebrating birthdays, exchanging jokes, and sharing memes. Some leaked recordings even caught workers playing multiplayer games like Counter-Strike, suggesting attempts to balance their grueling schedules with occasional leisure. 

The stakes behind these scams are far from trivial. According to estimates from the United Nations and the U.S. government, North Korea’s IT worker schemes generate between $250 million and $600 million annually. This revenue plays a direct role in funding the country’s ballistic missile programs and other weapons of mass destruction, underscoring the geopolitical consequences of what might otherwise appear as simple cyber fraud.  

The leaked data also highlights the global scale of the operation. Workers are not always confined to North Korea itself; many operate from China, Russia, and Southeast Asian nations to evade detection. Over time, the scheme has grown more sophisticated, with increasing reliance on AI and expanded targeting of companies across industries worldwide. 

A critical component of these scams lies in the use of so-called “laptop farms” based in countries like the United States. Here, individuals—sometimes unaware of their role—receive corporate laptops and install remote access software. This setup enables North Korean operatives to use the hardware as if they were legitimate employees, further complicating efforts to trace the fraud back to Pyongyang. 

Ultimately, the leak provides a rare inside view of North Korea’s state-directed cyber workforce. It underscores the regime’s ability to merge strict discipline, advanced digital deception, and even glimpses of ordinary life into a program that not only exploits global companies but also fuels one of the world’s most pressing security threats.
Read more »
Network Security
Airlines aviation Cloud Customer Data customer privacy Data Breach Network Security

Airline suffers data breach, customer information stolen


Air France and KLM announced that threat actors had compromised a customer service platform and stolen customer data. Along with Transavia, KLM and Air France are units of Air France-KLM Group, a Dutch-French multinational airline holding organization. Established in 2004, it is a big name in international air transport. 

"KLM has reported to the Dutch Data Protection Authority; Air France has done this in France at the CNIL. Customers whose data may have been accessed are currently being informed and advised to be extra alert to suspicious emails or phone calls," the group said.

With 78,000 employees and a fleet of 564 aircraft, Air France-KLM offers services for 300 destinations in 90 countries worldwide. The group transported 98 million passengers globally in 2024. The airlines said that they have closed the threat actors’ access to the hacked systems once the breach was discovered. They also claim that the attack didn’t impact their networks.

"Air France and KLM have detected unusual activity on an external platform we use for customer service. This activity resulted in unauthorized access to customer data. Our IT security teams, along with the relevant external party, took immediate action to stop the unauthorized access. Measures have also been implemented to prevent recurrence. Internal Air France and KLM systems were not affected," the group said.

The attackers stole data, including names, email addresses, contact numbers, transaction records, and details of rewards programs. But the group has said that the passengers’ personal and financial data was not compromised. The airlines have informed the concerned authorities in the respective countries of the attack. They have also notified the impacted individuals about the breach.

"KLM has reported the incident to the Dutch Data Protection Authority; Air France has done so in France with the CNIL.” "Customers whose data may have been accessed are currently being informed and advised to be extra vigilant for suspicious emails or phone calls," they said. 

Read more »
Privacy
Big Brother Watch Biometric data Data Breach facial recognition UK passport photo database Police Surveillance Privacy

UK Police’s Passport Photo Searches Spark Privacy Row Amid Facial Recognition Surge

 

.
Police in the UK have carried out hundreds of facial recognition searches using the national passport photo database — a move campaigners call a “historic breach of the right to privacy,” The Telegraph has reported.

Civil liberties groups say the number of police requests to tap into passport and immigration photo records for suspect identification has soared in recent years. Traditionally, searches for facial matches were limited to police mugshot databases. Now, dozens of forces are turning to the Home Office’s store of more than 50 million passport images to match suspects from CCTV or doorbell footage.

Government ministers argue the system helps speed up criminal investigations. Critics, however, say it is edging Britain closer to an “Orwellian” surveillance state.

A major concern is that passport holders are never informed if their photo has been used in a police search. The UK’s former biometrics watchdog has warned that the practice risks being disproportionate and eroding public trust.

According to figures obtained via freedom of information requests by Big Brother Watch, passport photo searches rose from just two in 2020 to 417 in 2023. In the first ten months of 2024 alone, police had already conducted 377 such searches. Immigration photo database searches — containing images gathered by Border Force — also increased sharply, reaching 102 last year, seven times higher than in 2020.

The databases contain images of people who have never been convicted of a crime, yet campaigners say the searches take place with minimal legal oversight. While officials claim the technology is reserved for serious offences, evidence suggests it is being used for a wide range of investigations.

Currently, there is no national guidance from the Home Office or the College of Policing on the use of facial recognition in law enforcement. Big Brother Watch has issued a legal warning to the Government, threatening court action over what it calls an “unlawful breach of privacy.”

Silkie Carlo, director of Big Brother Watch, said:

“The Government has taken all of our passport photos and secretly turned them into mugshots to build a giant, Orwellian police database without the public’s knowledge or consent and with absolutely no democratic or legal mandate. This has led to repeated, unjustified and ongoing intrusions on the entire population’s privacy.”

Sir Keir Starmer has voiced support for expanding police use of facial recognition — including live street surveillance, retrospective image searches, and a new app for on-the-spot suspect identification.

Sir David Davis, Conservative MP, accused the Government of creating a “biometric digital identity system by the backdoor” without Parliament’s consent. The position of Biometrics Commissioner, responsible for oversight of such technology, was vacant for nearly a year until July.

Government officials maintain that facial recognition is already bound by existing laws, and stress its role in catching dangerous criminals. They say a detailed plan for its future use — including the legal framework and safeguards — will be published in the coming months.
Read more »
PST
CyberCrime Cyberhakers CyberThreat Data Breach Frauds Norwegian Authority Pro-Russian PST

Pro-Russian Hackers Breach Norwegian Dam Systems

 


The Norwegian authorities have confirmed, in a development that illustrates the escalation of cyber threats on Europe's critical infrastructure, that pro-Russian hackers sabotaged a dam in April, affecting water flow for a short period of time. A remote control system linked to the dam's valve was broken in by attackers, according to the Norwegian Police Security Service (PST), which opened it for four hours after a remote attacker infiltrated the system. 

Officials say the incident was not dangerous to nearby communities, but it is part of a broader pattern of hostile cyber activity by Russia and its proxies since the invasion of Ukraine, according to officials. It has been reported that these intrusions are becoming increasingly used against Western nations as a means of spreading fear and unrest due to their increased involvement in cyber warfare. 

More than 70 incidents across Europe, ranging from cyberattacks, vandalism, arson, and attempted assassinations, have been documented by the Associated Press, which Western intelligence services have condemned as “reckless” and warned that these incidents are becoming increasingly violent. As of April 7, Norwegian authorities are now formally linking such an event to Russia, making it the first time such an attack was linked to Russia formally. 

During the intrusion, hackers gained control of a dam in Bremanger, western Norway, manipulating its systems to open a floodgate and release water at a rate of 500 litres per second. The operation continued for roughly four hours before being detected and halted. Officials confirmed that, while the surge did not pose an immediate danger to surrounding areas, the deliberate act underscored the growing vulnerability of essential infrastructure to state-linked cyber operations. 

Various Norwegian security officials have expressed concern that these incidents are a reflection of Russia's hybrid warfare campaign against Western nations, as well as a broader strategy of hybrid warfare waged against them. It has been reported to VG that cyberattacks are on the rise, often not to cause immediate damage, but rather to demonstrate the attackers' capabilities. She cautioned Norway to be on the lookout for more attempts of this type in the future.

A Norwegian intelligence service head, Nils Andreas Stensnes, has also expressed concern about this issue, stating that Russia is considered the greatest threat to the country's security. This particular dam was targeted in April, and is situated about 150 kilometres north of Bergen; and it does not produce energy. According to local media reports, the breach may have been facilitated by a weak password, which allowed the hackers to manipulate the system. 

There is a resemblance between the incident and a January 2024 cyberattack on a Texas water plant that was also linked to Kremlin-backed actors and resulted in an overflow as a result. As it stands, Bremanger's sabotage fits within a pattern that Western officials attribute to Russia as a source of disruptive activity across Europe. 

Over 70 such incidents, including vandalism and arson as well as attempted assassinations, have been documented by the Associated Press, describing them as "reckless" since the Russian invasion of Ukraine in 2015. There is a growing concern among intelligence agencies that these operations are becoming increasingly violent as time goes by. 

Hackers gained access to the dam's digital control system in April and managed to remotely increase water flow for approximately four hours without the threat of immediate danger to those around the dam. In the opinion of police attorney Terje Nedreb Michelsen, it appears that a three-minute video was circulated through Telegram of the control panel on the dam, which is emblazoned with the symbols of a pro-Russian cybercriminal group. 

It is worth noting that similar footage has appeared on social media in the past, but Norwegian police believe this is the first time in history that a pro-Russian hacker has succeeded in compromising critical water infrastructure since 2022. In analysing the incident, analysts note that cyber conflict is evolving in a way that underscores the fact that critical infrastructure, even when not directly connected to national energy grids or defence systems, is becoming an increasingly symbolic target in geopolitical conflicts. 

It is possible for hostile actors to disproportionately damage physical equipment by exploiting outdated security measures or inadequate access controls. It has been stated by experts that, as digital systems control water resources, transportation networks, and industrial facilities become more interconnected, the risk of coordinated multi-target attacks increases. 

Norway's case also illustrates how small nations face challenges when it comes to deterring and responding to cyber attacks by state-backed adversaries with vast resources and operational reach, in addition to the challenges they face. In such environments, security strategists contend that to strengthen cybersecurity, not only must people upgrade technology, but they also need to work closely with intelligence agencies, private operators, and international allies to share threat intelligence and coordinate defensive measures to protect themselves from threats. 

Although the Bremanger intrusion has been contained, it serves as a sober reminder that modern conflicts increasingly play out on the networks and control panels of civilian infrastructure and represent a frontline of conflict in the modern age.
Read more »
Privacy Threat
Data Breach Data Leak Data Theft KLM Alerts Privacy Threat

KLM Alerts Customers After Data Theft by Fraudsters


On Wednesday, Air France and KLM announced a breach of a customer service platform, compromising the personal data of an undisclosed number of customers. The breach highlights the increasing cybersecurity challenges faced by the aviation industry. Air France–KLM Group, the company founded in 2004, is a multinational airline holding company with a French–Dutch core. It is known as one of the largest airline holding companies in the world. 


The two carriers, along with Transavia, operate under it. During the year 2024, the airline company could transport 98 million passengers worldwide through its fleet of 564 aircraft, a workforce of 78,000 employees, and a network that extended to 300 destinations in 90 countries. As a result of this incident, customers as well as the industry as a whole should be concerned. 

There was a report of a breach at an airline group's external customer service platform which gave attackers access to sensitive information, including customer names, contact information, frequent flyer records, and recent transaction history, by accessing an external customer service platform. Although Air France and KLM emphasised that no internal systems or financial data had been compromised, they also confirmed that they were taking immediate steps to prevent any further unauthorised access to their systems. 

Security analysts note that the incident appears to have echoes of the ShinyHunters cybercrime group, an organisation notorious for exploiting platforms like Salesforce through phishing and social engineering campaigns. Regulatory authorities in France and the Netherlands have been notified, and affected passengers have been notified directly. 

There have been several breaches that have impacted major global brands over the year, including Google, Adidas, and many luxury fashion houses, and the group has previously been linked to many such breaches. There has been no confirmation by the airline group whether Salesforce was involved in this attack, but the techniques and the timing of the attack appear consistent with the group's activities. 

Recently, such threats have risen to a large extent, including WestJet and Hawaiian Airlines, which experienced similar breaches in the past few months. These developments have led to the recommendation that customers remain vigilant against possible phishing attacks in light of the recent developments, while industry experts suggest that third-party platforms should be audited rigorously, access controls should be enhanced, and strong cybersecurity frameworks should be implemented in order to protect against future threats. 

Interestingly, the breach bears striking similarities to one disclosed by the Australian carrier Qantas in July, which also involved the compromise of a third-party customer service platform. In that case, hackers were able to gain access to personal information, including the names, dates of birth, e-mail addresses, telephone numbers, and frequent flyer membership numbers of customers. 

It has come to our attention that the attackers had also gotten residential and business addresses as well as hotel delivery addresses associated with lost baggage, and in a few cases, even the meal preferences of passengers, according to a subsequent investigation. According to Qantas, approximately six million people were affected by this attack. 

There is a rise in fraudulent activity that has been targeting the airline's customers, urging passengers to be vigilant against communications from individuals impersonating the airline in the future. According to security sources, the breach is part of a larger wave of attacks attributed to ShinyHunters, a threat actor known for exploiting Salesforce environments through vishing and social engineering techniques, which has been linked to numerous attacks over the years. 

The campaign has also hurt several high-profile organisations, including Adidas, Qantas, Allianz Life, Louis Vuitton, Dior, Tiffany & Co., Chanel, and most recently, Google, which has been among the organisations affected. An Air France–KLM spokesman declined to provide further details, citing the ongoing investigation, when asked whether the breach involved a compromised Salesforce instance or how many individuals were affected. 

Several other aviation-related breaches have been linked to the Scattered Spider hacker collective, which has recently turned its attention to targeting airlines and transportation businesses, including this incident. In the past, the Scattered Spider group had attacked insurance companies and retail firms, but in recent months it has been compromising carriers such as WestJet and Hawaiian Airlines. In response to the incident, KLM informed the Dutch Data Protection Authority of the breach, whereas Air France informed the French Data Protection Authority of the breach. 

There is a direct message being sent by both carriers to all of their customers about the compromise, and they are encouraging them to be vigilant against any emails or phone calls that could be influenced by the compromise. Air France–KLM Group, the parent company of the airlines, along with Transavia, operates as a multinational carrier established in 2004. 

Air France–KLM employs approximately 78,000 people and transports millions of passengers every year, all across the globe. There has been no confirmation regarding who perpetrated the breach, however cybersecurity analysts have suggested that it may have been connected to a group called ShinyHunters that have previously infiltrated Salesforce environments to steal data from major brands like Chanel, Tiffany & Co., and Dior to steal their data. 

A cybersecurity expert at Immersive, Ben McCarthy, commented on the possible link between the two systems by explaining that campaigns targeting SaaS platforms like Salesforce underscore how much threat actors value these systems, since a single breach could lead to the access of the data of multiple organisations. This incident is a stark reminder of the security risks inherent in the increasingly complex digital ecosystem, which airlines are increasingly relying on. 

A growing number of carriers are using interconnected platforms and third-party services to enhance customer experiences, but they are also increasing the attack surface that is available to threat actors. It is well known that to protect such large networks, not just advanced technical safeguards are needed, but also continuous collaboration is needed between aviation companies, regulators, and cybersecurity experts.

A number of attacks have demonstrated both persistence and adaptability, so the industry faces a growing need to anticipate threats rather than merely reacting to them. Passengers have a crucial line of defence in the form of heightened awareness, as even the most sophisticated security systems can be compromised by a single successful phishing attack or a manipulated interaction with customers. 

The latest breach in the ever-evolving landscape of cyber threats illustrates what is now becoming a growing reality, which is that trust and security are now equally as essential to the journey as the aircraft themselves, especially in the field of aviation.
Read more »
Personal Data Breach
Data Breach Data Leak Data protection data security Data Theft Italy Personal Data Personal Data Breach

Venice Film Festival Cyberattack Leaks Personal Data of Accredited Participants

 

The Venice Film Festival has reportedly been hit by a cyberattack, resulting in the leak of sensitive personal data belonging to accredited attendees. According to The Hollywood Reporter, the breach exposed information including names, email addresses, contact numbers, and tax details of individuals registered for this year’s event. The affected group includes both festival participants and members of the press who had received official accreditation. News of the incident was communicated through an official notification. 

The report states that unauthorized actors gained access to the festival’s servers on July 7. In response, the event’s IT team acted swiftly to contain the breach. Their immediate measures included isolating compromised systems, securing affected infrastructure, and notifying relevant authorities. Restoration work was launched promptly to minimize disruption. Those impacted by the incident have been advised to contact the festival at privacy@labiennale.org for more information and guidance. 

Organizers assured that the breach would not affect payment processing, ticketing, or booking systems. This means that preparations for the upcoming 82nd edition of the Venice Film Festival will continue as scheduled, with the event set to run from August 27 to September 9, 2025, in Venice, Italy. As in previous years, the program will feature an eclectic mix of global cinema, spanning independent works, arthouse creations, and major Hollywood productions. 

The 2025 lineup boasts notable names in international filmmaking. Hollywood will be represented by directors such as Luca Guadagnino, Guillermo del Toro, Yorgos Lanthimos, Kathryn Bigelow, Benny Safdie, and Noah Baumbach. Baumbach’s new film Jay Kelly features a star pairing of George Clooney and Adam Sandler, alongside a supporting cast that includes Laura Dern, Greta Gerwig, Riley Keough, Billy Crudup, Eve Hewson, Josh Hamilton, and Patrick Wilson. 

Following last year’s Queer, Guadagnino returns with After The Hunt, a morally complex drama starring Ayo Edebiri, Julia Roberts, and Andrew Garfield, screening in the Out of Competition category. Benny Safdie will present The Smashing Machine, featuring Dwayne Johnson and Emily Blunt in a tense sports drama — his first solo directorial effort after his collaborations with brother Josh on acclaimed films like Uncut Gems and Good Time. 

Festival director Alberto Barbera has hinted at a strong awards season presence for several films in the lineup. He cited The Smashing Machine, Kathryn Bigelow’s latest feature, and Guillermo del Toro’s adaptation of Frankenstein as potential Oscar contenders. Despite the cyberattack, the Venice Film Festival remains on track to deliver one of the year’s most anticipated cinematic showcases.
Read more »
stolen information
Data Breach Google Hacking Phishing Attack Salesforce Scams stolen information

Google Confirms Data Breach in Salesforce System Linked to Known Hacking Group

 



Google has admitted that some of its customer data was stolen after hackers managed to break into one of its Salesforce databases.

The company revealed the incident in a blog post on Tuesday, explaining that the affected database stored contact details and notes about small and medium-sized business clients. The hackers, a group known online as ShinyHunters and officially tracked as UNC6040, were able to access the system briefly before Google’s security team shut them out.

Google stressed that the stolen information was limited to “basic and mostly public” details, such as business names, phone numbers, and email addresses. It did not share how many customers were affected, and a company spokesperson declined to answer further questions, including whether any ransom demand had been made.

ShinyHunters is notorious for breaking into large organizations’ cloud systems. In this case, Google says the group used voice phishing, calling employees and tricking them into granting system access — to target its Salesforce environment. Similar breaches have recently hit other companies using Salesforce, including Cisco, Qantas, and Pandora.

While Google believes the breach’s immediate impact will be minimal, cybersecurity experts warn there may be longer-term risks. Ben McCarthy, a lead security engineer at Immersive, pointed out that even simple personal details, once in criminal hands, can be exploited for scams and phishing attacks. Unlike passwords, names, dates of birth, and email addresses cannot be changed.

Google says it detected and stopped the intrusion before all data could be removed. In fact, the hackers only managed to take a small portion of the targeted database. Earlier this year, without naming itself as the victim, Google had warned of a similar case where a threat actor retrieved only about 10% of data before being cut off.

Reports suggest the attackers may now be preparing to publish the stolen information on a data leak site, a tactic often used to pressure companies into paying ransoms. ShinyHunters has been linked to other criminal networks, including The Com, a group known for hacking, extortion, and sometimes even violent threats.

Adding to the uncertainty, the hackers themselves have hinted they might leak the data outright instead of trying to negotiate with Google. If that happens, affected business contacts could face targeted phishing campaigns or other cyber threats.

For now, Google maintains that its investigation is ongoing and says it is working to ensure no further data is at risk. Customers are advised to stay alert for suspicious calls, emails, or messages claiming to be from Google or related business partners.

Read more »
Security Breach
Customer Data CyberCrime Cyberhackers Cybersecurity Data Breach Jewellery Pandora Security Breach

Pandora Admits Customer Data Compromised in Security Breach


 

A major player in the global fashion jewellery market for many years, Pandora has long been positioned as a dominant force in this field as the world's largest jewellery brand. However, the luxury retailer is now one of a growing number of companies that have been targeted by cybercriminals. 

Pandora confirmed on August 5, 2025, that a cyberattack had been launched on the platform used to store customer data by a third party. A Forbes report indicates that the breach was caused by unauthorised access to basic personal information, including customer name and email address. As a result, no passwords, credit card numbers, or any other sensitive financial information were compromised, the company stressed. 

In response to the incident, Pandora has taken steps to contain it, improved its security measures, and stated that at the present time, no evidence has been found that suggests that the stolen information has been leaked or misused. There is no doubt that supply chain dependencies can be a vulnerability for attackers due to the recent breach at Danish jewellery giant Pandora, as evidenced by this breach. 

The incident, rather than being the result of a direct intrusion into Pandora's core infrastructure, has been traced back to a third-party vendor platform — a reminder of the vulnerability of external services, including customer relationship management tools and marketing automation systems, which can be used by hackers as gateways. 

Using this tactic, cybercriminals were able to gain unauthorised access to customer data. Cybercriminals often employ this tactic to facilitate secondary crimes such as phishing, identity theft, and targeted scams. This incident is part of a broader industry challenge, with organisations increasingly outsourcing critical functions while ignoring the security risks associated with these outsourcing agreements. 

However, Pandora has not revealed who the third-party platform is; however, it has confirmed that some of Pandora's customer information was accessed through it, so the company's core internal systems remained unaffected by the intrusion. According to the jewellery retailer, the intrusion has been swiftly contained, and additional security measures have been put in place in order to ensure that future attacks do not occur again. 

According to the investigation, only the most common types of data - the names, dates, and email addresses of customers - were copied, and there was no compromise of passwords, identity documents or financial information. Several researchers have noted that cybercriminals have been orchestrating social engineering campaigns on behalf of companies and help desks for as long as January 2025, often to obtain Salesforce credentials or trick the staff into authorising malicious OAuth applications. 

It is not the only issue that is concerning the retail sector, as Chanel, a French fashion and cosmetics giant, also confirmed earlier this month a cyberattack perpetrated by the ShinyHunter extortion group, reportedly targeting Salesforce applications on August 1 through a social media-based intrusion, causing a significant amount of disruption in the industry. 

In the last year, the UK retail sector has been experiencing challenges as a result of cyberattacks that have affected major brands such as M&S, Harrods, and The Co-op. This latest incident comes at a time when the retail sector has been facing an increasing number of cyberattacks. A breach earlier this year resulting in the theft of customer data led M&S to declare a loss of around £300 million for its annual profit. 

It has been noted that in recent years, retailers have become prime targets for sophisticated hackers due to the vast amounts of consumer information they collect for marketing purposes and the outdated security infrastructure they use. Many retailers have underinvested in cybersecurity resilience in their pursuit of speed, scale, and convenience, which is something well-organised threat actors, such as Scattered Spider, are exploiting by taking advantage of this gap. 

Cybersecurity expert Christoph Cemper advised Pandora customers to remain vigilant against potential phishing emails, warning that such attacks can lead to the theft of sensitive information or financial losses if recipients click malicious links or download harmful attachments. Pandora reaffirmed its commitment to data protection, stating, Cemper, however, emphasised that retailers must adopt more proactive measures to safeguard customer information. 

Despite this incident, Pandora stressed the importance of not compromising passwords, payment information, or other sensitive details of customers. Specifically, the incident only involved “very common types of customer data”, including names and e-mail addresses, with no compromises to passwords, payment information, or other sensitive information. 

As a result of its investigation, the company stated that no evidence of misuse of the stolen data was found, but it advised customers to remain vigilant, especially in situations where they receive unsolicited emails or ask for personal information online. In its warning to customers, Pandora advised them not to click on unfamiliar links or download attachments from unverified sources. 

Pandora did not specify who was responsible for the intrusion, how the hack was executed, or how many people had been affected. Nonetheless, security researchers have been able to link the incident to the ShinyHunters group, which is said to have targeted corporate Salesforce databases with various social engineering and phishing techniques since January 2025. 

Several of the members of this group claim that they will "perform a mass sale or leak" of data from companies unwilling to comply with ransom demands. As far as Salesforce is concerned, the company has not been compromised. Its statement attributed these breaches instead to sophisticated phishing attacks and social engineering attacks that have become increasingly sophisticated over the years, reiterating that customers are responsible for safeguarding their data on their own. 

Today's interconnected retail environment serves as a reminder that cyber risks are no longer confined to a company's own network perimeter but are now a part of a company's wider digital footprint. It has become increasingly apparent that the lines between internal and external security responsibilities are blurring in light of the increasing use of vulnerability in third-party platforms, social engineering tactics, and overlooked digital entry points. 

The stakes for global brands are not limited to immediate disruption to operations. In addition to consumer trust, brand reputation, and regulatory scrutiny, cybersecurity experts agree that a holistic approach is now needed in order to mitigate cyberattacks. In addition to rigorous vendor risk assessments, continuous employee training, advanced threat detection, and resilient incident response frameworks, these strategies are all important. 

In an industry like luxury retail that is vulnerable to cyberattacks, Pandora's experience demonstrates what is becoming an increasingly common industry imperative: proactive defences are becoming not just an option but an essential tool for safeguarding the online relationships of customers and protecting their digital assets.
Read more »
SafePlay
Cyberbreach CyberCrime CyberThreat Data Breach Ingram Ingram Micro Ransom Threat Ransomware SafePlay

Ingram Micro Faces Alleged Breach by SafePay with Ransom Threat

 


As Ingram Micro is dealing with a widespread outage in its global technology distribution operations that appears to be directly linked to a ransomware attack by the cybercrime group SafePay, the company appears to be experiencing a significant disruption. The company has shut down internal systems due to the incident, which has affected the company's website and online ordering platform since Thursday, according to information obtained by BleepingComputer. 

Despite the fact that Ingram Micro is a major business-to-business technology distributor and service provider that offers hardware, software, cloud solutions, logistics, and training to resellers and managed service providers across the world, it has not yet been publicly confirmed what caused the disruption. According to a ransomware group known as SafePay, the group has issued an ultimatum to Ingram Micro, warning that it will publish 3.5 terabytes of allegedly stolen data unless they are paid a ransom by August 1st. 

Several prominent warning signs, along with a countdown clock, are prominently displayed on the leak site of the group, increasing the pressure on the California-based technology distributor to enter into negotiations with the group. During an ongoing investigation, Ingram Micro informed the public on 5 July of a ransomware attack, which resulted in certain internal systems being shut down as a precaution. 

SafePay did not confirm at that time that any data exfiltration occurred, but now, following the breach, the company claims responsibility and asserts that it has obtained a significant volume of sensitive corporate information. A security researcher has found code similarities to the LockBit ransomware family, suggesting a potential rebrand or offshoot. SafePay started causing threats in late 2024 to at least twenty organisations across different industries.

With the group operating under a double-extortion model, not only do they encrypt compromised systems, but they also threaten victims with leaking their data should they refuse to pay the ransom. In the course of investigating the incident, it has been determined that SafePay was responsible for orchestrating the attack, a comparatively new type of ransomware which emerged between September and November 2024. 

Ingram Micro had not attributed the attack to any specific threat actor. However, BleepingComputer has now discovered a link between the breach and the group that employs the double-extortion model, in which data is stolen and encrypted using system encryption, as well as claiming to have compromised more than 200 companies across a wide range of fields, including manufacturing, healthcare, and education. 

There has been some speculation that SafePay exploited vulnerabilities in the GlobalProtect VPN platform to gain access to the company and left ransom notes on the company's employee devices. As a result of the attack, Ingram Micro's AI-driven Xvantage distribution system, as well as its Impulse license provisioning platform, both critical components of the organisation's global operations, were reportedly affected by the hack.

According to Ingram Micro's announcement on July 5, a number of internal systems had been identified as infected with malicious software, following a ransomware attack. An immediate precautionary measure was taken by the company to secure its environment, including proactively taking down systems and implementing mitigation measures, and the company announced the following week that global operations were fully back to normal. 

There has been no mention of the stolen data, ransom demands, or who was responsible on the company's official incident update page or in its 8-K filing to the Securities and Exchange Commission, as of 7 July. Although the company has continued to acknowledge that it is actively investigating the scope of the incident and the nature of any data affected, it has opted not to comment further on it. 

Interestingly, however, the ransomware group SafePay—which claims responsibility for the intrusion—is more forthright, claiming that it has infected 3.5 terabytes of sensitive data and has set the public release deadline of 1 August 2025 if a ransom is not paid. Consequently, a countdown clock is displayed on their leak site stating that if the ransom is not paid, it will release the data publicly. 

As an intermediary in the supply chain for major technology vendors, Ingram Micro is the largest reseller and enterprise network in the world, servicing over 160,000 resellers and enterprise customers worldwide. There is a growing concern among security specialists that the exposure of partner agreements, customer records, and proprietary product information may have a far-reaching impact across the technology channel. 

From enabling targeted phishing attacks to eroding competitive advantages, the risks are extensive across the technology channel. According to industry consultants, organisations should take steps to strengthen access controls, enforce multifactor authentication, monitor for emerging vulnerabilities, and limit remote access to secured VPNs to prevent such threats. 

While Ingram Micro is still investigating the SafePay leak, the persistent countdown clock on the leak site indicates that no agreement has been reached, which makes it more likely for full disclosure of data to occur. If the claimed dataset is made available, vendors, resellers, and end users might have to reset their credentials on a large scale, prepare for targeted scams, and comply with any potential regulatory reporting requirements. 

Security researchers are then expected to examine these files for potential indicators of compromise and tactical insights that could mitigate similar attacks in the future, as well as the likelihood of these attacks occurring again. It was in a brief announcement published by Ingram Micro on a Sunday morning that they had been victimised by ransomware attacks, stating that malicious software was detected on several internal systems. 

During the investigation, the company reported that it took immediate steps to secure its environment, including the initiation of a proactive shutdown of the affected systems, the implementation of additional mitigation measures, the launch of an investigation with the assistance of leading cybersecurity experts, and the notification of authorities. 

Despite the inconvenience caused by Ingram Micro, the company has expressed its sincere apologies to customers, vendors, and partners, as well as a commitment to restoring affected systems so normal order processing and shipping can resume. Palo Alto Networks responded to reports suggesting that attackers had gained access via Ingram Micro's GlobalProtect VPN gateway on 7 Julyemphasisingng that the company was investigating the claims and emphasising that threat actors regularly infiltrate VPNs by using stolen credentials or misconfigured networks. 

It was reported that Ingram Micro had made great progress toward restoring transactional operations by 8 July. Subscription orders, renewals, and modifications had been processed globally again through its central support organisation, and customers across multiple countries, including the UK, Germany, France, Italy, Spain, Brazil, India, China, Portugal, and the Nordic countries, were accepting phone or email orders. 

There are still some restrictions that apply to hardware and technology orders. Sources also indicate that VPN access has been restored in certain regions. Palo Alto Networks later confirmed that none of the company's products were exploited or compromised by the breach. In spite og only operating for about a year, SafePay has established a substantial footprint in the cybercrime landscape, displaying 265 victims on the dark web leak site it has operated for. 

Having been identified in September 2024, this group is believed to have previously deployed LockBit ransomware, though it is unclear whether it is related to LockBit. The SafePay ransomware company claims it is different from many contemporary ransomware operations because it does not utilise affiliates to breach networks as a ransomware-as-a-service model. 

A report by Emsisoft’s Brett Callow indicates that this strategy, along with the preference for a low public profile of the group, may be the group’s attempt to avoid the intense scrutiny that law enforcement authorities have been paying for actions taken against other high-profile gangs in recent months. Among the most active ransomware actors worldwide, SafePay is ranked fourth behind Qilin, Akira, and Play in NCC Group's second quarter 2025 report. 

It has been estimated that this group is responsible for 70 attacks in May 2025 alone, which makes them the most active ransomware operators in the entire month. Ingram Micro and its global network of partners were impacted by the SafePay attack that led to a cascade of operational, financial and reputational consequences. It was reported that technology resellers, managed service providers, and vendors worldwide were unable to conduct transactions due to the downtime of digital commerce platforms, order processing systems, and cloud license provisioning systems. 

As a result of the disruption, hardware and cloud shipments slowed, and downstream partners sought alternate distribution channelsemphasisingng the central role large distributors play in supplying IT products. In the wake of the outage, industry analysts estimate that SafePay has lost up to $136 million in revenue per day, according to industry analysts. SafePay claims to have exfiltrated 3.5 terabytes of sensitive data, including financial, legal, and intellectual property. If its ransom demands are not met, it threatens public release. 

The prolonged downtime, along with limited communication from the company, caused criticism from both customers and industry observers. Experts believe that the incident underscores the vulnerable nature of VPNs and identity management systems, especially where multi-factor authentication is lacking, password security is not enforced, and timely patches aren't applied promptly. 

The report also reflects the increasing use of double-extortion tactics, which combine system encryption with the threat of sensitive data leaks to achieve double extortion. Thus, organisations must prepare not only for the restoration of services, but also for possible repercussions in terms of privacy and legality. Although Ingram Micro had restored global services on 30 July 2025, it remains under continuous extortion threat, and the company is still undergoing an extensive forensic investigation. 

As a result of the Ingram Micro incident, ransomware operations have become increasingly sophisticated and persistent, where a technical compromise is just the beginning of a broader campaign of intimidation and leverage. The tactics employed by SafePay—combining the operational paralysis of core systems with the looming threat of massive data loss—illustrate how modern cyberattacks are built to exert sustained pressure on victims for quite some time after initial containment measures have been completed. 

It has served as a reminder for global supply chain operators that security perimeters must extend far beyond traditional network defenses, including identity verification, remote access governance, and proactive vulnerability management, in addition to traditional network defenses. In light of the interconnected nature of modern information technology ecosystems, it is evident that disruptions can cause shockwaves across multiple industries and markets if a single node is disrupted. 

Several experts have noted that in the wake of high-profile supply chain breaches, threat actors are likely to be more focused on distributors and service aggregators, since they have extensive vendor and customer relationships, which have the potential to increase the impact of financial gains and reputational harm. It is also likely that regulatory bodies will examine these incidents with greater care, particularly where they involve the disclosure of sensitive partner information or customer information, which can result in broader compliance obligations as well as legal liabilities. 

Taking Ingram Micro to the next level will require not only the resolution of immediate security and operational issues, but also the rebuilding of trust with the vast network of customers and partners the company has cultivated. 

To reduce the long-term repercussions of the incident, it is crucial to be transparent in communications following the incident, to demonstrate security enhancements, and to collaborate with the industry to share intelligence on emerging threats. In the course of the investigation, it is likely to become an important reference point for cybersecurity strategy debates, as well as in shaping future policy aimed at protecting global supply chains against cybersecurity threats.
Read more »
WordPress plugin security flaw
Data Breach donor information leak GiveWP vulnerability Pi-hole ad blocker Pi-hole data breach WordPress plugin security flaw

Pi-hole Data Breach Exposes Donor Names and Emails via GiveWP Plugin Vulnerability

 

Pi-hole, a well-known network-level ad-blocker, has confirmed that a security flaw in the GiveWP WordPress donation plugin exposed donor names and email addresses.

Pi-hole functions as a DNS sinkhole, blocking unwanted content before it reaches users’ devices. Originally built for Raspberry Pi single-board computers, it now runs on multiple Linux distributions, both on dedicated hardware and virtual machines.

According to Pi-hole, the issue came to light on Monday, July 28, when donors reported receiving suspicious emails at addresses used solely for contributions. A post-mortem published Friday revealed that the breach impacted individuals who donated through Pi-hole’s official website. Due to a GiveWP vulnerability, personal details became visible to anyone viewing the page's source code—without requiring authentication or special permissions.

The GiveWP plugin, which facilitates donations on the Pi-hole site, inadvertently exposed this information. While Pi-hole did not specify the number of affected donors, data breach tracking service ‘Have I Been Pwned’ listed the incident, estimating that nearly 30,000 donors were impacted, with 73% of those email addresses already in its database.

No payment or financial details were compromised. Credit card and other transaction data are managed directly by Stripe and PayPal. Pi-hole stressed that its core software product was unaffected.

"We make it clear in the donation form that we don't even require a valid name or email address, it's purely for users to see and manage their donations," Pi-hole stated. "It is also important to note that Pi-hole the product is categorically not the subject of this breach. There is no action needed from users with a Pi-hole installed on their network."

Although GiveWP issued a patch within hours after the vulnerability was reported on GitHub, Pi-hole criticized the developer’s handling of the situation, citing a 17.5-hour delay in notifying users and insufficient acknowledgment of the exposure’s seriousness.

Pi-hole apologized to affected donors and acknowledged potential reputational harm. While describing the flaw as unforeseeable, the organization accepted responsibility for the consequences.

"The names and email addresses of anyone that had ever donated via our donation page was there for the entire world to see (provided they were savvy enough to right click->View page source). Within a couple of hours of this report, they had patched the bad code and released 4.6.1," Pi-hole noted.

"We take full responsibility for the software we deploy. We placed our trust in a widely-used plugin, and that trust was broken."
Read more »
Subscribe to: Posts (Atom)