Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Data Breach. Show all posts
UK
Data Breach Hacking IntelBroker UK

UK Man Accused in Major International Hacking Case, Faces US Charges




A 25-year-old British citizen has been formally charged in the United States for allegedly leading an international hacking operation that caused millions in damages to individuals, companies, and public institutions.

Authorities in the US claim the man, identified as Kai West, was the person behind an online identity known as "IntelBroker." Between 2022 and 2025, West is accused of breaking into systems of more than 40 organizations and trying to sell sensitive data on underground online forums.

According to court documents, the financial impact of the operation is estimated to be around £18 million. If convicted of the most serious offense—wire fraud—West could face up to 20 years in prison.

Prosecutors believe that West worked with a group of 32 other hackers and also used the online alias “Kyle Northern.” While officials didn’t name the specific forum used, various sources suggest that the activity took place on BreachForums, a site often linked to the trade of stolen data.

Investigators say West posted nearly 160 threads offering stolen data for sale, often in exchange for money, digital credits, or even for free. His alleged victims include a healthcare provider, a telecom company, and an internet service provider—all based in the US. While official names were not disclosed in court, separate reports connect the IntelBroker identity to past breaches involving major companies and even government bodies.

One particularly concerning incident tied to the IntelBroker persona occurred in 2023, when a data leak reportedly exposed health and personal information of US lawmakers and their families. This included details such as social security numbers and home addresses.

Officials say they were able to trace West’s identity after an undercover operation led them to one of his cryptocurrency transactions. A $250 Bitcoin payment for stolen data allegedly helped link him to email addresses used in the operation.

West was arrested in France in February and remains in custody there. The United States is now seeking his extradition so he can stand trial.

The US Department of Justice has called this a “global cybercrime operation” and emphasized the scale of damage caused. FBI officials described West’s alleged activity as part of a long-running scheme aimed at profiting from illegally obtained data.

French authorities have also detained four other individuals in their twenties believed to be connected to the same forum, although no further details have been made public.

As of now, there has been no official response or legal representation comment from West’s side. 

Read more »
User Security
Ahold Delhaize Data Breach Grocery Giant Ransomware attack User Security

2.2 Million People Impacted by Ahold Delhaize Data Breach

 

Ahold Delhaize, the Dutch grocery company, reported this week that a ransomware attack on its networks last year resulted in a data breach that affected more than 2.2 million customers. 

The cybersecurity breach was discovered in November 2024, when numerous US pharmacies and grocery chains controlled by Ahold Delhaize reported network troubles. The incident affected Giant Food pharmacies, Hannaford supermarkets, Food Lion, The Giant Company, and Stop & Shop.

In mid-April 2025, Ahold Delhaize was attacked by the Inc Ransom ransomware organisation. Shortly after, the company acknowledged that the hackers probably stole data from some of its internal business systems.

 Since then, Ahold Delhaize has determined that personal data has been hacked, and those affected are currently being notified. Internal employment records for both current and defunct Ahold Delhaize USA enterprises were included in the stolen files. The organization told the Maine Attorney General’s Office that 2,242,521 people are affected.

The compromised information differs from person to person, however it includes name, contact information, date of birth, Social Security number, passport number, driver's license number, financial account information, health information, and employment-related information. Affected consumers will receive free credit monitoring and identity protection services for two years. 

The attackers published around 800 Gb of data allegedly stolen from Ahold Delhaize on their Tor-based leak website, indicating that the corporation did not pay a ransom. Inc Ransom claimed to have stolen 6 TB of data from the company.

Cyberattacks on the retail industry, notably supermarkets, have increased in recent months. In April, cybercriminals believed to be affiliated with the Scattered Spider group targeted UK retailers Co-op, Harrods, and M&S. 

Earlier this month, United Natural Foods (UNFI), the primary distributor for Amazon's Whole Foods and many other North American grocery shops, was targeted by a hack that disrupted company operations and resulted in grocery shortages. According to UNFI, there is no evidence that personal or health information was compromised, and no ransomware group claimed responsibility for the attack.
Read more »
Surmodics cyberattack
Cybersecurity Incident Data Breach IT system shutdown medical device data breach SEC filing Surmodics cyberattack

Surmodics Hit by Cyberattack, Shuts Down IT Systems Amid Ongoing Investigation

 

Minnesota-headquartered Surmodics, a leading U.S. medical device manufacturer, experienced a cyberattack on June 5 that led to a partial shutdown of its IT infrastructure. The company, known for being the largest domestic supplier of outsourced hydrophilic coatings used in devices like intravascular catheters, detected unauthorized access within its network and immediately took several systems offline. During the disruption, it continued fulfilling orders and shipping products through alternative channels.

The incident was disclosed in a filing with the U.S. Securities and Exchange Commission (SEC), which noted that law enforcement has been informed. Surmodics joins Artivion and Masimo as the third publicly listed medical device company to report a cyberattack to the SEC in recent months.

With assistance from cybersecurity professionals, Surmodics has managed to restore essential IT operations, though a complete assessment of what data was compromised is still underway. Some systems remain in recovery.

“The Company remains subject to various risks due to the cyber Incident, including the adequacy of processes during the period of disruption of the Company's IT systems, diversion of management's attention, potential litigation, changes in customer behavior, and regulatory scrutiny,” said Timothy Arens, Chief Financial Officer of Surmodics, in the SEC filing.

The identity of the attackers remains unknown, and according to the company, no internal or third-party data has been leaked. Surmodics also confirmed it holds cyber insurance, which is expected to cover the bulk of the breach-related expenses.

The company has expressed concern about potential lawsuits stemming from the attack—a growing trend in the aftermath of corporate data breaches. Recent class actions have targeted firms like Coinbase and Krispy Kreme over compromised personal information.

Financially, Surmodics reported $28 million in revenue last quarter. It is currently involved in a legal dispute with the Federal Trade Commission (FTC), which is attempting to block a $627 million acquisition bid by a private equity firm. The FTC argues that the deal would merge the two largest players in the specialized medical coating industry, potentially reducing competition.
Read more »
Retail
Customer Information Data Breach food service Ransomware Retail

Ahold Delhaize Reports Major Data Breach Affecting Over 2 Million Employees in the U.S.

 


One of the world’s largest grocery retail groups has confirmed a major cyber incident that compromised sensitive information belonging to more than 2.2 million individuals across its U.S. operations.

The company, known for running supermarket chains like Food Lion, Giant Food, and Stop & Shop, revealed that a ransomware attack last November led to unauthorized access to internal systems. This breach primarily exposed employment-related data of current and former workers, according to a recent report filed with the Maine Attorney General’s office.


What Information Was Exposed?

While not everyone affected had the same type of data compromised, the company stated that hackers may have accessed a combination of the following:

• Full names and contact details

• Birth dates

• Government-issued ID numbers

• Bank account details

• Health and workers’ compensation records

• Job-related documents


The breach does not appear to involve customer information, according to the company’s internal review. In Maine alone, over 95,000 individuals were impacted, triggering formal notification procedures as required by law.


Company’s Response and Next Steps

Following the discovery of the breach on November 6, 2024, Ahold Delhaize immediately launched an investigation and worked to contain the attack. Temporary service disruptions were reported, including issues with pharmacies and delivery services.

To assist those affected, the company is offering two years of free credit and identity monitoring through a third-party provider. It has also engaged external cybersecurity experts to further review and enhance its systems.


Ransomware Group Possibly Involved

Although Ahold Delhaize has not officially identified the group behind the attack, a ransomware operation known as INC Ransom reportedly claimed responsibility earlier this year. Files believed to be taken from the company were published on the group’s leak site in April.

Cybersecurity professionals say the exposed information could be used for identity theft and financial fraud. Experts have advised affected individuals to monitor their credit reports and, where possible, lock their credit files as a precautionary measure.


A Growing Concern for the Sector

Cyberattacks on retail and food service companies are becoming more frequent and severe. According to researchers, this incident stands out due to the unusually high number of records affected. The average breach in this sector usually involves far fewer data points.

Security specialists say such events highlight the urgent need for stronger protection strategies, including multi-factor authentication, network segmentation, and stealth technologies that reduce exposure to cyber threats.


Ahold Delhaize at a Glance

Headquartered in the Netherlands and Belgium, Ahold Delhaize operates more than 9,400 stores worldwide and serves roughly 60 million customers each week. In 2024, the company recorded over $100 billion in global sales.

As the investigation continues, the company has pledged to strengthen its data safeguards and remain vigilant against future threats.

Read more »
User Privacy
Data Breach Data Leak Logistics Firm Noida Firm User Privacy

FIR Filed After Noida Logistics Company Claims User Data Leaked

 

High-profile clients' private information, including that of top government officials, was leaked due to a significant cybersecurity incident at Agarwal Packers and Movers Ltd (APML) in India. Concerns over the security of corporate data as well as possible national security implications have been raised by the June 1 incident. An inquiry is still under progress after police filed a formal complaint. 

In what could be one of the most sensitive data breaches in recent memory, Agarwal Packers and Movers Ltd (APML), a well-known logistics company with its headquarters located in Sector 60, Noida, has disclosed that private client information, including the addresses and phone numbers of senior government clients, has been stolen. 

The intrusion was detected on June 1 after several clients, including prominent bureaucrats, diplomats, and military people, began receiving suspicious, highly targeted phone calls.

"The nature of the calls strongly indicated that the callers had access to specific customer queries and records related to upcoming relocations," the complainant, Jaswinder Singh Ahluwalia, Group President and CEO of APML, stated in the police FIR. He cautioned that this is more than just a disclosure of company data. It has an impact on personal privacy, public trust, and possibly national security. 

The company initiated an internal technical inspection, which uncovered traces of unauthorised cyber infiltration, confirming worries regarding a breach. The audit detected collaboration between internal personnel and external cybercriminals. While the scope of the hack is still being investigated, its significance is undeniable: the firm serves India's elite, making the stolen data a potential goldmine for bad actors. 

In accordance with Sections 318(4) and 319(2) of the Bharatiya Nyaya Sanhita and Sections 66C (identity theft) and 66D (impersonation by computer resource) of the Information Technology Act, a formal complaint was filed at the Sector 36 Cyber Crime Police Station. 

According to Cyber SHO Ranjeet Singh, they have a detailed complaint with technological proof to back it up. At the moment, their cyber unit is looking through access trails, firewall activity, and internal server records. Due to the nature of clients impacted, the issue is being handled with the highest attention. 

The attack has triggered calls for stricter cybersecurity practices in private companies that serve sensitive sectors. While APML has yet to reveal how many people were affected, its internal records allegedly include relocation information for high-level clientele like as judges, intelligence officers, and foreign dignitaries.
Read more »
tech support cybercrime
call center security breach Coinbase data hack Data Breach hackers target call centers insider threat cybersecurity outsourced support risks tech support cybercrime

Hackers Exploit Low-Paid Tech Support Workers to Breach Major Companies, Steal Customer Data

 

As more companies turn to outsourced tech support to save money, the risks tied to these operations are becoming increasingly evident. The dangers aren’t solely technical anymore; they also stem from the individuals operating behind the screens, who are often under financial strain and targeted by increasingly sophisticated cybercriminals.

Hackers are weaponizing outsourced tech support teams and call centers—the very services meant to assist customers—as tools for large-scale cybercrime. Recent breaches in the US and UK illustrate a worrying trend: attackers manipulating the human side of support operations to slip past advanced security protocols and seize sensitive data.

In one of the most impactful incidents so far, criminals infiltrated overseas call centers serving prominent American companies, including the cryptocurrency platform Coinbase. While attackers used different tactics, they shared a common strategy: exploiting the access held by low-level support staff, who frequently earn low wages despite handling confidential customer details.

According to Coinbase, hackers bribed customer support agents employed by TaskUs and other help desk providers, offering payments upwards of $2,500 to secure insider assistance. "You're working with a low-paid labor market," Isaac Schloss, chief product officer at Contact Center Compliance, told the Wall Street Journal. "These people are in a position of poverty more often than not. So if the right opportunity comes for the right person, people are willing to look the other way."

The fallout was severe. At Coinbase, the breach affected data from as many as 97,000 customers and could result in reimbursement costs nearing $400 million. Using the stolen details, attackers impersonated legitimate Coinbase representatives, contacting victims about their accounts and persuading them to transfer cryptocurrency into criminal-controlled wallets. "Every other day a new case would come in, and it would be, 'I got called by Coinbase, and I lost all my money because it wasn't Coinbase,'" Josh Cooper-Duckett, director of investigations at Cryptoforensic Investigators, told the publication.

These tactics are not confined to the crypto industry. In the UK, hackers have also targeted major retailers such as Marks & Spencer and Harrods, pretending to be senior executives to pressure tech-support staff into granting access to internal systems—a method resembling the 2023 MGM Resorts breach.

Beyond bribery, call center vulnerabilities include malicious software planted to siphon off data in large volumes. In some cases, hackers persuaded insiders to describe the applications installed on their systems, ultimately identifying a browser extension with a flaw they could exploit. This allowed them to inject code and harvest extensive customer records.

The cross-border nature of outsourcing complicates accountability. In many regions, workers face minimal legal penalties for helping enable cyberattacks. "We've seen relatively limited consequences, in those regions, for perpetrators," Philip Martin, Coinbase's chief security officer, said. Even when employees are terminated, "It's a relatively straightforward thing for them to go get a new one," he noted.

Despite businesses investing billions in sophisticated cybersecurity tools, hackers persistently capitalize on the most fragile element: people. "Consistently, the human interaction has proven to be a weak link," Michael McPherson, a senior vice president at cybersecurity firm ReliaQuest, said.
Read more »
personal data leak
Data Breach Data Leak data security Data stealing malware Database Breach Infostealer Infostealer Malware Login Credentials Login Security Malware attacks personal data leak

Massive Data Leak Exposes 16 Billion Login Records from Major Online Services

 

A recent investigation by Cybernews has uncovered a staggering 30 separate online datasets containing approximately 16 billion stolen login credentials from services including Apple, Google, and Facebook. These data dumps, discovered through open sources, appear to be the result of large-scale malware attacks that harvested user information through infostealers. 

Each dataset contains a URL alongside usernames and passwords, suggesting that malicious software was used to collect login details from infected devices. While some overlap exists among the records, the overall size and spread of the leak make it difficult to determine how many unique users have been compromised. 

Except for one dataset previously identified by cybersecurity researcher Jeremiah Fowler—which included over 185 million unique credentials—most of the remaining 29 databases had not been publicly reported before. These leaked collections are often only temporarily available online before being removed, but new compilations are regularly uploaded, often every few weeks, with fresh data that could be weaponized by cybercriminals. The exact sources and individuals behind these leaks remain unknown. 

To avoid falling victim to similar malware attacks, experts advise staying away from third-party download platforms, especially when obtaining software for macOS. Users are encouraged to download apps directly from the Mac App Store or, if not available there, from a developer’s official website. Using cracked or pirated software significantly increases the risk of malware infection. 

Phishing scams remain another common threat vector. Users should be cautious about clicking on links in unsolicited emails or messages. Even if a message appears to come from a trusted company, it’s vital to verify the sender’s address and inspect URLs carefully. You can do this by copying the link and pasting it into a text editor to see its actual destination before clicking. 

To reduce the chance of visiting malicious sites, double-check the spelling of URLs typed manually and consider bookmarking commonly used sites. Alternatively, using a search engine and clicking on verified results can reduce the risk of visiting typo-squatting domains. 

If you suspect your credentials may have been compromised, take immediate action. Start by updating passwords on any affected services and enabling two-factor authentication for added security. It’s also wise to check your financial statements for unauthorized activity and consider placing a freeze on your credit file to prevent fraudulent account openings. 

Additionally, tools like Have I Been Pwned can help verify if your email address has been part of a known breach. Always install the latest system and app updates, as they often include crucial security patches. Staying current with updates is a simple but effective defense against vulnerabilities and threats.
Read more »
Scania
Cyberhackers Cybersecurity CyberThreat Data Breach financial services hensi Industries Malware Threat Moder vehicles Privacy Threat Scania

Scania Targeted in Extortion Attempt Following Data Breach

 


An alarm is triggered in both the automotive and financial industries when Scania Financial Services, based in Sweden, confirms that a cybersecurity incident has compromised sensitive company data, which has raised concerns in the industry. 

The breach was reportedly caused by unauthorised access to the subdomain insurance.scania.com between mid-June 2025 and mid-July 2025. This intrusion has been claimed to have been perpetrated by a threat actor known as "hensi", and the stolen information is allegedly being sold on underground cybercrime forums by a threat actor using the alias "hensi." 

The exposure of confidential insurance-related information is raising concerns about the possibility of misuse of customer data and corporate records. Founded in 1937, Scania is one of the world's leading automotive manufacturers with expertise in the manufacturing of heavy-duty trucks, buses, and industrial as well as marine engines. 

The company operates as one of the key subsidiaries of the Volkswagen Group. Scania, a major player in the European market for commercial vehicles, is one of the most vulnerable organisations in the world when it comes to cyber extortion schemes, which are becoming increasingly sophisticated. While the full extent of the breach is still being investigated, industry experts see this incident as yet another reminder that the threat landscape facing the financial services arm of a multinational corporation is escalating. 

It is well known for the high quality of its engineering and the fuel efficiency of its fuel-efficient, long-lasting engines, which have earned Scania a leading position in the commercial vehicle industry around the world. This company is a global leader in the manufacturing and delivery of vehicles across many international markets. 

It employs more than 59,000 people and generates more than $20.5 billion annually. According to reports, the breach occurred on May 28, 2025, when cybercriminals exploited login credentials that had been harvested through information-stealing malware to gain unauthorised access to Scania's systems. As part of the ongoing cybersecurity crisis, threat intelligence platform Hackmanac found a post from the cybercriminal Hensi made on a well-known hacking forum. 

Additional developments emerged as a result of the ongoing cybersecurity incident. This actor claimed that he had stolen sensitive information from the compromised subdomain insurance.scania.com and then offered the information for sale to a single exclusive buyer in exchange for payment. Even though this discovery added credibility to the extortion attempt, it highlighted the severity of the breach, as well as reinforcing growing concerns surrounding data security within the automotive-financial industry. 

A critical question that arises from the breach is whether third parties are exposed to risk and whether cyber extortion tactics are becoming increasingly sophisticated. Scania is continuing to investigate the breach, and this raises significant concerns. As the hacker team escalated the attack, they began to contact Scania employees directly via a ProtonMail account, threatening to publicly release the compromised information unless they met certain demands. 

In response to this switch from silent intrusion to overt blackmail, the company responded with greater urgency. Although the number of people affected has not been announced officially, the nature of the exposed information suggests that it could include highly sensitive information relating to insurance claims accessed through the compromised platform, such as personal, financial, and perhaps medical information. 

It was in response to this situation that Scania immediately deactivated the affected application and conducted a comprehensive internal investigation, which was undertaken jointly with cybersecurity specialists. As a result, Scania was also required to inform the appropriate authorities regarding data protection violations, based on legal and regulatory requirements. 

A number of vendors have been put under intense scrutiny for the way they manage vendor risk, and this incident has highlighted the increasing reliance on third-party platforms that might not always adhere to adequate security standards. This breach is believed to have occurred in the middle of May 2025, when a threat actor used compromised credentials obtained from a legitimate external user to gain unauthorised access to one of the Scania systems used to drive insurance-related operations for a company in the Czech Republic. 

According to initial analysis, the credentials were harvested using password-stealing malware, which has become an increasingly popular method for cybercriminals to infiltrate corporate networks in order to steal data and manipulate the systems. After getting inside the account, the attacker used the compromised account to download documents pertaining to insurance claims. 

The documents likely contain personal information (PII) as well as potentially sensitive financial or medical information, resulting in a breach of privacy. Though Scania has not yet disclosed the exact number of individuals affected, the nature of the compromised documents indicates that a significant privacy impact could arise for those individuals. Following the initial breach, the incident escalated into a clear case of cyber extortion. 

A few days ago, the attackers started reaching out directly to Scania employees, using a ProtonMail (proton.me) address, and threatened them with disclosure. The attackers were also trying to amplify pressure on the company by sending a second threatening email from a hijacked third-party email account, indicating the intent of the attacker to employ every possible method for coercing compliance from the company. 

After the stolen data was published by a user operating under the alias "Hensi" on dark web forums, which backed up earlier claims and confirmed the breach's authenticity, it was more credible than ever. Consequently, Scania promptly removed the affected application from the network and initiated a thorough forensic investigation in response to the incident. 

By compliance requirements, the company stated that the breach appeared to have a limited impact on the company's business and that appropriate regulatory bodies, including the data protection authority, had been duly informed of these requirements. As a result of this incident, it becomes increasingly clear that enterprise environments should develop better credential hygiene, strengthen third-party oversight, and implement proactive incident response strategies. 

Considering the severity of the Scania cyber incident, the incident serves as a warning for enterprise ecosystems that are increasingly facing cyber threats, especially those that rely heavily on third-party infrastructures. In this context, companies must adopt a zero-trust security architecture, continuously monitor their users' behaviour, and invest in advanced threat detection tools that will allow them to detect credential misuse at the earliest opportunity. 

The organisation must also reevaluate vendor relationships with a strong focus on supply chain security, as well as ensure external service providers follow the same rigorous standards as internal service providers. Moreover, integrating employee awareness training with incident response simulations as a foundational pillar of a resilient cybersecurity posture should not be an optional element, but instead should be included as an integral part of a comprehensive cybersecurity strategy. 

A proactive company will be able to distinguish itself from those reacting too late as cyber extortion tactics become increasingly targeted and disruptive as they become increasingly targeted and disruptive. Investing in a security culture that values data protection as a shared and continuous responsibility across every level of the organisation is one of the key factors in ensuring the success of global corporations like Scania. This is the key to regaining confidence in data protection.
Read more »
Teams API
ATO Azure cloud storage Credential CyberCrime Cyberhackers Data Breach Microsfot Entra ID Microsoft Passwords Teams API

Microsoft Entra ID Faces Surge in Coordinated Credential-Based Attacks

An extensive account takeover (ATO) campaign targeting Microsoft Entra ID has been identified by cybersecurity experts, exploiting a powerful open-source penetration testing framework known as TeamFiltration. 

First detected in December 2024, the campaign has accelerated rapidly, compromising more than 80,000 user accounts across many cloud environments over the past several years. It is a sophisticated and stealthy attack operation aimed at breaching enterprise cloud infrastructure that has been identified by the threat intelligence firm Proofpoint with the codename UNK_SneakyStrike, a sophisticated and stealthy attack operation. 

UNK_SneakyStrike stands out due to its distinctive operational pattern, which tends to unfold in waves of activity throughout a single cloud environment often targeting a broad spectrum of users. The attacks usually follow a period of silent periods lasting between four and five days following these aggressive bursts of login attempts, a tactic that enables attackers to avoid triggering traditional detection mechanisms while maintaining sustained pressure on organizations' defence systems. 

Several technical indicators indicate that the attackers are using TeamFiltration—a sophisticated, open-source penetration testing framework first introduced at the Def Con security conference in 2022—a framework that is highly sophisticated and open source. As well as its original purpose of offering security testing and red teaming services in enterprises, TeamFiltration is now being used by malicious actors to automate large-scale user enumeration, password spraying, and stealthy data exfiltration, all of which are carried out on a massive scale by malicious actors. 

To simulate real-world account takeover scenarios in Microsoft cloud environments, this tool has been designed to compromise Microsoft Entra ID, also known as Azure Active Directory, in an attempt to compromise these accounts. It is important to know that TeamFiltration's most dangerous feature is its integration with the Microsoft Teams APIs, along with its use of Amazon Web Services (AWS) cloud infrastructure to rotate the source IP addresses dynamically. 

Not only will this strategy allow security teams to evade geofencing and rate-limiting defences, but also make attribution and traffic filtering a significant deal more challenging. Additionally, the framework features advanced functionalities that include the ability to backdoor OneDrive accounts so that attackers can gain prolonged, covert access to compromised systems without triggering immediate alarms, which is the main benefit of this framework. 

A combination of these features makes TeamFiltration a useful tool for long-term intrusion campaigns as it enhances an attacker's ability to keep persistence within targeted networks and to siphon sensitive data for extended periods of time. By analysing a series of distinctive digital fingerprints that were discovered during forensic analysis, Proofpoint was able to pinpoint both the TeamFiltration framework and the threat actor dubbed UNK_SneakyStrike as being responsible for this malicious activity. 

As a result, there were numerous issues with the tool, including a rarely observed user agent string, hardcoded client identifications for OAuth, and a snapshot of the Secureworks FOCI project embedded within its backend architecture that had been around for quite some time. As a result of these technical artefacts, researchers were able to trace the attack's origin and misuse of tools with a high degree of confidence, enabling them to trace the campaign's origin and tool misuse with greater certainty. 

An in-depth investigation of the attack revealed that the attackers were obfuscating and circumventing geo-based blocking mechanisms by using Amazon Web Services (AWS) infrastructure spanning multiple international regions in order to conceal their real location. A particularly stealthy manoeuvre was used by the threat actors when they interacted with the Microsoft Teams API using a "sacrificial" Microsoft Office 365 Business Basic account, which gave them the opportunity to conduct covert account enumeration activities. 

Through this tactic, they were able to verify existing Entra ID accounts without triggering security alerts, thereby silently creating a map of user credentials that were available. As a result of the analysis of network telemetry, the majority of malicious traffic originated in the United States (42%). Additional significant activity was traced to Ireland (11%) and the United Kingdom (8%) as well. As a consequence of the global distribution of attack sources, attribution became even more complex and time-consuming, compromising the ability to respond efficiently. 

A detailed advisory issued by Proofpoint, in response to the campaign, urged organisations, particularly those that rely on Microsoft Entra ID for cloud identity management and remote access-to initiate immediate mitigations or improvements to the system. As part of its recommendations, the TeamFiltration-specific user-agent strings should be flagged by detection rules, and multi-factor authentication (MFA) should be enforced uniformly across all user roles, based on all IP addresses that are listed in the published indicators of compromise (IOCs). 

It is also recommended that organisations comply with OAuth 2.0 security standards and implement granular conditional access policies within Entra ID environments to limit potential exposure to hackers. There has been no official security bulletin issued by Microsoft concerning this specific threat, but internal reports have revealed that multiple instances of unauthorised access involving enterprise accounts have been reported. This incident serves as a reminder of the risks associated with dual-use red-teaming tools such as TeamFiltration, which can pose a serious risk to organisations. 

There is no doubt in my mind that such frameworks are designed to provide legitimate security assessments, however, as they are made available to the general public, they continue to raise concerns as they make it more easy for threat actors to use them to gain an advantage, blurring the line between offensive research and actual attack vectors as threats evolve. 

The attackers during the incident exploited the infrastructure of Amazon Web Services (AWS), but Amazon Web Services (AWS) reiterated its strong commitment to promoting responsible and lawful use of its cloud platform. As stated by Amazon Web Services, in order to use its resources lawfully and legally, all customers are required to adhere to all applicable laws and to adhere to the platform's terms of service. 

A spokesperson for Amazon Web Services explained that the company maintains a clearly defined policy framework that prevents misappropriation of its infrastructure. As soon as a company receives credible reports that indicate a potential violation of these policies, it initiates an internal investigation and takes appropriate action, such as disabling access to content that is deemed to be violating the company's terms. As part of this commitment, Amazon Web Services actively supports and values the global community of security researchers. 

Using the UNK_SneakyStrike codename, the campaign has been classified as a highly orchestrated and large-scale operation that is based on the enumeration of users and password spraying. According to researchers at Proofpoint, these attempts to gain access to cloud computing services usually take place in bursts that are intense and short-lived, resulting in a flood of credentials-based login requests to cloud environments. Then, there is a period of quietness lasting between four and five days after these attacks, which is an intentional way to prevent continuous detection and prolong the life cycle of the campaign while enabling threat actors to remain evasive. 

A key concern with this operation is the precision with which it targets its targets, which makes it particularly concerning. In the opinion of Proofpoint, attackers are trying to gain access to nearly all user accounts within the small cloud tenants, while selectively targeting particular users within the larger enterprise environments. 

TeamFiltration's built-in filtering capabilities, which allow attackers to prioritise the highest value accounts while avoiding detection by excessive probing, are a calculated approach that mirrors the built-in filtering capabilities of TeamFiltration. This situation underscores one of the major challenges the cybersecurity community faces today: tools like TeamFiltration that were designed to help defenders simulate real-world attacks are increasingly being turned against organisations, instead of helping them fight back. 

By weaponizing these tools, threat actors can infiltrate cloud infrastructure, extract sensitive data, establish long-term access, and bypass conventional security controls, while infiltrating it, extracting sensitive data, and establishing long-term control. In this campaign, we are reminded that dual-purpose cybersecurity technologies, though essential for improving organization resilience, can also pose a persistent and evolving threat when misappropriated. 

As the UNK_SneakyStrike campaign demonstrates, the modern threat landscape continues to grow in size and sophistication, which is why it is imperative that cloud security be taken into account in a proactive, intelligence-driven way. Cloud-native organisations must take steps to enhance their threat detection capabilities and go beyond just reactive measures by investing in continuous threat monitoring, behavioural analytics, and threat hunting capabilities tailored to match their environments' needs. 

In the present day, security strategies must adapt to the dynamic nature of cloud infrastructure and the growing threat of identity-based attacks, which means relying on traditional perimeter defences or static access controls will no longer be sufficient. In order to maintain security, enterprise defenders need to routinely audit their identity and access management policies, verify that integrated third-party applications are secure, and review logs for anomalies indicative of low-and-slow intrusion patterns. 

In order to build a resilient ecosystem that can withstand emerging threats, cloud service providers, vendors, and enterprise security teams need to work together in order to create a collaborative ecosystem. As an added note, cybersecurity community members must engage in ongoing discussions about how dual-purpose security tools should be distributed and governed to ensure that innovation intended to strengthen defences is not merely a weapon that compromises them, but rather a means of strengthening those defences. 

The ability to deal with advanced threats requires agility, visibility, and collaboration in order for organisations to remain resilient. There is no doubt that organisations are more vulnerable to attacks than they were in the past, but they can minimise exposure, contain intrusions quickly, and ensure business continuity despite increasingly coordinated, deceptive attack campaigns if they are making use of holistic security hygiene and adopting a zero-trust architecture.

Read more »
Ransom
Cyber PMC Data Breach Paraguay Ransom

Paraguay Faces Data Breach Threat as Cyber Group Demands Ransom

 


A cyber extortion group is pressuring the Paraguayan government to pay a ransom of $7.4 million, roughly equal to one dollar for each citizen of the country. The group, which calls itself Brigada Cyber PMC, claims to have stolen personal information from three different Paraguayan government systems, including records of about 7.2 million people from the national civil registry, which manages voter information and other key data.

The hackers posted their demands on their dark web site on Sunday, warning that if the payment is not made by June 13, they will leak all the stolen information to the public. However, by Thursday, the group’s leak site had gone offline and was showing a basic server message, making its current status unclear.


Who Are the Hackers?

Little is known about Brigada Cyber PMC. Their website simply states, “You don’t need to know who we are.” At this stage, it’s uncertain whether they are working independently or if they have backing from a larger organization or government.

According to cybersecurity company Resecurity, the first signs of this data breach appeared on May 28, when a user named "Gatito_FBI_Nz" posted on a cybercrime forum offering to sell two databases containing information on Paraguayan citizens. The seller also provided a sample of nearly 940,000 records and appeared to be connected to other leaks in South America, based on their usernames and contact details shared on Telegram.

Resecurity’s investigation suggests that the hacker involved may have also attacked government systems in other South American countries. Paraguay’s national cybersecurity team, CERT-PY, has been informed of the situation.


The Targeted Systems

One of the affected Paraguayan government websites belonged to the National Agency for Transit and Road Safety, which went offline on May 29 but was brought back the next day. Some of the leaked records appear to have come from this agency and include sensitive personal details such as names, ID numbers, dates of birth, professions, marital status, and nationalities.

Another incident was reported on May 31, when a different hacker named "el_farado" posted another large set of Paraguayan citizen data for sale. This data was allegedly taken from government systems in the Cordillera region. Resecurity noted possible links between this hacker and FunkSec, a ransomware group active since late 2024. The structure of this data suggests it may have come from a separate cyberattack.


History of Attacks

This is not the first time Paraguay’s government networks have been targeted. Resecurity pointed out that a civil registry database was stolen and leaked about two years ago, but it’s unclear whether that older data is now being reused by the current attackers.

In another major case in November 2024, Paraguay’s critical infrastructure was found to be compromised by a hacking group reportedly connected to China, according to a joint investigation by Paraguayan officials and the U.S. Southern Command. That breach was linked to the group known as Flax Typhoon, but no public data leaks or officially confirmed victims were reported in that incident.

Read more »
Personal Data Breach
Customer Information Cybernews Cybersecurity Data Breach Data Hackers Data Leak Data Safety User Data data security Data Trading Hacker attack Personal Data Breach

T-Mobile Denies Involvement After Hackers Claim Massive Customer Data Breach

 

T-Mobile is once again in the cybersecurity spotlight after a hacking group claimed to have obtained sensitive personal information belonging to 64 million customers. The hackers alleged the data was freshly taken as of June 1, 2025, and listed their find on a well-known dark web forum popular among cybercriminals and data traders.  

The leaked trove reportedly contains highly personal information, including full names, birthdates, tax identification numbers, addresses, contact details, device and cookie IDs, and IP addresses. Such data can be extremely valuable to cybercriminals for fraud, identity theft, or phishing attacks. Cybernews, which analyzed a sample of the data, confirmed its sensitive nature, raising alarm over the scale and potential damage of the breach.  

Yet, T-Mobile has come forward to strongly deny any connection to the alleged hack. In a statement to The Mobile Report, the telecom company asserted that the leaked data does not belong to T-Mobile or any of its customers. “Any reports of a T-Mobile data breach are inaccurate. We have reviewed the sample data provided and can confirm the data does not relate to T-Mobile or our customers,” the company stated. 

Despite T-Mobile’s denial, cybersecurity analysts remain cautious. Cybernews pointed out that portions of the leaked data mirror details from previous breaches that targeted T-Mobile, suggesting there may be some overlap with older incidents. This has sparked speculation that the latest claim may not be based on a new breach, but rather a repackaging of previously stolen information to create hype or confusion. 

Adding to the uncertainty, Have I Been Pwned—a trusted platform used to monitor data breaches—has yet to list the supposed breach, which could support the theory that the leaked data is not new. Still, the situation has left many T-Mobile customers in limbo, unsure whether their data has truly been compromised again. 

If the claims prove to be true, it would be another in a series of cybersecurity setbacks for T-Mobile. The company only recently began issuing compensation checks related to its 2021 data breach, suggesting that resolution in such matters can take years. 

For now, the legitimacy of this latest breach remains unclear. Until further evidence surfaces or an independent investigation confirms or refutes the claims, customers are advised to remain vigilant and monitor their accounts for any unusual activity.
Read more »
Zoomcar
Data Breach Data Stolen India US SEC Zoomcar

Zoomcar Data Breach Exposes Personal Information of 8.4 Million Users

 



Zoomcar, a well-known car-sharing platform, recently reported that a cyberattack exposed the personal details of approximately 8.4 million users. The information that was accessed includes users’ names, phone numbers, and vehicle registration details.

The company, based in Bengaluru, India, disclosed this security incident in a filing with the U.S. Securities and Exchange Commission (SEC). According to the filing, Zoomcar discovered the issue on June 9 after some of its employees received direct messages from an unknown individual who claimed to have broken into the company’s systems and gained access to its data.

In response, Zoomcar quickly launched its incident response plan — a set of steps companies take to control damage and secure their systems after a cyberattack. The company explained that, so far, there is no sign that financial information, unencrypted passwords, or highly sensitive personal identifiers were stolen in this breach.

Zoomcar has since introduced additional security measures to strengthen its internal systems and cloud services. These steps include improved system monitoring and a careful review of user access controls to prevent future attacks. However, the company did not give detailed explanations of these new protections.

The company also confirmed that it is working with independent cybersecurity experts to investigate the incident further. Relevant law enforcement agencies and regulatory authorities have been notified and are now involved in the case.

At this point, Zoomcar has not provided any public updates on whether it has directly informed the affected users or if it has managed to identify the hacker responsible.

As of now, the company says this breach has not affected its day-to-day business operations.

Zoomcar, founded in 2013, is a platform that allows users to rent cars by the hour, day, week, or month. It currently operates in 99 cities with a fleet of over 25,000 cars and has built a user base of more than 10 million people. Apart from India, the company also runs services in Egypt, Indonesia, and Vietnam.

Earlier this year, Zoomcar reported that it had seen a 19% increase in car rentals compared to the previous year, totaling over 103,000 bookings. The company also noted a significant improvement in its contribution profit, which rose by over 500% to $1.28 million. However, despite these gains, the company’s net loss still stood at $7.9 million.

Cyberattacks like this highlight the importance of strong cybersecurity practices and continuous monitoring, especially for companies that handle large amounts of personal user information. It also raises questions about how quickly companies notify customers after discovering such breaches.

For now, Zoomcar says it is taking the situation seriously and is fully cooperating with all ongoing investigations.

Read more »
UAE Cybersecurity Council (CSC)
Cyberattacks CyberCrime Data Breach Data Hackers Health Records Patient Data UAE Cybersecurity Council (CSC)

Cyberattack in Dubai Compromises Patient Health Records

 


During the last few months, the UAE Cyber Security Council (CSC) has revealed that the UAE has seen a surge in cyberattacks that have been reported daily to the highest level of more than 200,000. Cyber threats of this magnitude and in such a coordinated manner are mostly directed at the nation's strategic sectors, such as government institutions, energy infrastructure, financial systems, and healthcare networks, which represent the nation's most important institutions.

Even though these attacks originate in at least 14 different foreign countries, they do not just attempt to compromise sensitive data, they also aim to disrupt critical infrastructure and disrupt national security in addition to compromising sensitive data. As a result of this growing threat landscape, the CSC has developed a comprehensive and proactive cybersecurity framework that utilises a wide range of cutting-edge global technologies, intelligence sharing protocols, and advanced threat mitigation mechanisms to combat this threat. 

As a result of identifying both the source and the perpetrators of these cyber intrusions, UAE authorities were able to swiftly implement countermeasures in order to neutralise threats before they were capable of inflicting widespread damage. A comprehensive defence strategy indicates the country’s unwavering commitment to safeguarding its digital sovereignty while protecting its essential assets in an era when cyber warfare is becoming more complex. 

The ongoing investigation into escalating cyber threats has led to alarming claims from Gunra, which claims to have stolen 450 million patient records from the American Hospital Dubai (AHD) as a result of the ransomware group's alleged theft. In light of this development, the cybersecurity landscape in the region has reached a turning point, as even the most technologically advanced healthcare institutions are vulnerable to increasingly sophisticated digital threats, even when they are technologically advanced. 

With a reputation for being one of the UAE's premier private healthcare providers since being founded in 1996, the American Hospital Dubai has become one of the UAE's premier private healthcare providers. An excellent facility located in Oud Metha that offers specialised care across 40 medical disciplines, including pioneering work in robotic surgery and minimally invasive surgery, the facility is well-known for its work in these fields. 

It is a trustworthy hub for both local and international patients, so the extent of the alleged breach is particularly devastating. A claim has been made by Gunra that he has exfiltrated 4 terabytes of highly sensitive data, which includes individual identifiers, financial information, and detailed clinical records, which are highly sensitive. 

The sheer magnitude of the alleged data breach raises serious questions about the confidentiality of patient data, the institutional oversight that governs the UAE's digital infrastructure, and how it complies with stringent data protection laws. When the breach is verified, it could have far-reaching implications on AHD, its operations, and reputation as well as on the broader healthcare sector's approach to cyber resilience and risk management in general. 

The emergence of Gunra as a new and aggressive threat actor in the context of global concerns over ransomware attacks is adding a new urgency to cybersecurity discussions, especially as ransomware attacks continue to increase in scale and sophistication. As a result of its first detection in April 2025, the Gunra ransomware group has rapidly established itself as one of the most disruptive groups in the cybercriminal landscape, according to Cyfirma, a threat intelligence firm. 

Based on the data collected by Cybernews' dark web monitoring platform, Ransomlooker, the group has claimed responsibility for attacks on 12 organisations across a variety of industries. The Gunra ransomware group seems to have taken a calculated approach, compared to other ransomware groups that choose to target high-value targets in sectors such as real estate, pharmaceuticals, and manufacturing, whereas other groups may choose to target low-value targets. 

By using a double-extortion strategy – a very common technique among advanced ransomware groups — this group not only encrypts victim data but also threatens to release the stolen information unless a ransom is paid; the stolen information is a public disclosure. Combined, these two layers of pressure greatly heighten the stakes for organisations in need, potentially compounding the damage beyond the initial breach and compounding it. Technically, Gunra is an alarmingly efficient malware once it enters a network. 

Once it has entered, it quickly encrypts critical files and adds a unique ".ENCRT" extension to each file. Upon entering the network, the malware then locks the victim out of their data and systems and leaves a ransom note in every affected folder. There are instructions provided in these notes for making a payment and reclaiming access, which often require significant sums of cryptocurrency. 

There appears to be no doubt that the primary motivation for this group is financial gain, but its rapidly evolving tactics and wide range of targets indicate an increasing threat to global digital infrastructure. It has been reported by the ransomware group that they intend to publicly release the exfiltrated data on June 8th, which significantly escalates the severity of the situation and leverages psychological pressure to compel victims to comply.

In the case of an important healthcare facility such as the American Hospital Dubai, whose job is to safeguard sensitive patient information and whose operating framework is tightly regulated, such an incident would have significant repercussions. Besides legal and financial penalties that could arise, there is also the possibility of a profound erosion of patient trust, reputational damage, and long-term disruption to patient services. 

In light of this incident, healthcare organisations, especially those that manage large amounts of confidential data in digital repositories, need to take a more aggressive cybersecurity posture that is more forward-looking and more aggressive. It is important for organisations to take steps to prevent cyber intrusions by deploying advanced threat detection systems, conducting frequent vulnerability assessments, conducting security audits, and training staff in order to minimise human error, which is often a key vector of cyber intrusions, in addition to basic security measures. 

Additionally, one must implement a robust, well-tested incident response framework that allows them to contain, recover, and communicate quickly in the event of a breach. In addition, the situation illustrates the rapidly changing threat landscape, in which cybercriminals are employing increasingly advanced and aggressive tactics to exploit systemic weaknesses in order to exploit them. Healthcare providers need to elevate their defences as these digital threats become increasingly complex and scaled. They need to invest in not only technology but also strategic foresight and organisational resilience so that they can endure and respond to cyberattacks in the future.

It is worth mentioning that while the American Hospital Dubai is dealing with the fallout of a potential massive data breach, a wave of similar cyber incidents has swept through other parts of the Middle East and Africa, demonstrating the increased globalisation and globalisation of the ransomware threat landscape. Throughout the Moroccan territory, cyberattacks targeting both public and private organisations have raised serious concerns about how resilient the digital infrastructures of the country are. 

The initial reports suggest that cybercriminals broke into the computer systems of the National Agency for Land Conservation, Cadastre, and Cartography (ANCFCC), claiming to have exfiltrated over four million documents from its systems. In the alleged compromised data, there is an accumulation of highly sensitive documents such as over 10,000 property certificates, passports and bank statements, as well as a variety of other personal information like a birth certificate, passport, and civil status information. 

It was further clarified by Morocco's General Directorate of Information Systems Security (DGSSI) that the ANCFCC had not been compromised. Upon further investigation, it was discovered that there had been no compromise of ANCFCC. Ultimately, it was discovered that the breach had been caused by an online platform known as tawtik. Ma, which was used by the National Council of Notaries. In order to contain the threat and initiate remediation steps, the platform was taken offline immediately to ensure a limited set of documents could be accessed.

The breach is the second significant cybersecurity incident that has occurred in Morocco in recent years. Recently, the National Social Security Fund (CNSS) suffered a major compromise that resulted in the theft of over 54,000 documents and the loss of nearly 2 million citizens' personal data. Cyber intrusions continue to occur in the public and private sectors, which indicates that both sectors are vulnerable to attacks. The list of victims is growing, as Best Profil, a prominent Moroccan human resources firm, has also been targeted in another attack. 

According to preliminary assessments, approximately 26 gigabytes of sensitive internal data were exfiltrated by the attackers, among other things. According to reports, the stolen data included sensitive HR and financial documents, employee contracts, and financial records. According to cybersecurity analysts, the data which was compromised may have been worth around $10 million. This underscores the high stakes involved in such breaches and the lucrative motivations behind cybercrime that drive cybercrime in the first place. 

In aggregate, these incidents emphasise how transnational cyberattacks have become increasingly common across sectors and borders, with an increasing frequency. A strong emphasis has been placed upon the need for nations and organisations - particularly those responsible for managing sensitive public data, to invest in advanced cybersecurity frameworks, to facilitate inter-agency collaboration, and to stay alert to evolving digital threats safeguard themselves. 

Increasingly, cybersecurity compliance plays a crucial role in addressing the threats to healthcare institutions in the Middle East and Africa as a result of the growing number of cyberattacks targeting those facilities. A hospital or medical service provider's responsibility to safeguard sensitive patient data, digital infrastructure, and life-saving technologies, along with adhering to rigorous cybersecurity regulations, is more than just a legal formality. 

It is an integral part of operating with integrity, maintaining patient trust, and ensuring long-term resilience. There are so many regulatory frameworks out there that offer a structured approach to risk management by requiring best practices in data protection, threat monitoring, and incident response, as well as implementing regulations based on the Abu Dhabi Healthcare Information and Cyber Security (ADHICS) standards. 

Amidst the rapid progress of digital transformation across the Middle East, the region continues to face enormous challenges when it comes to protecting healthcare and public infrastructures from the ever-increasing number of cyber threats, which include ransomware, phishing, and data breaches. As a critical defence mechanism, compliance initiatives provide an important means of reducing vulnerabilities, ensuring accountability, and ensuring continuity of care despite cyber disruptions by introducing standard safeguards. 

A robust phishing protection protocol, for example, mandated under many regional cybersecurity guidelines, can serve as a tool to counter one of the most prevalent entry points for threat actors, thereby safeguarding the institutional data and patient outcomes. By aligning their security frameworks with regulatory mandates such as ADHICS, healthcare organisations can significantly reduce the impact of cyber incidents by ensuring that their security frameworks are aligned with regulatory guidelines. 

Aside from preventing large-scale data breaches, mitigating medical service delays caused by system outages, and strengthening public confidence that healthcare providers are capable of protecting patient information, there are many other benefits. As well, well-regulated cybersecurity postures establish a reputation for reliability and digital responsibility, which are key attributes in an environment where healthcare is highly interconnected and highly threatened. Cybersecurity compliance is not a problem only in the Middle East. 

As cyber threats become increasingly sophisticated and broad in scope, other regions are also in need of the same regulatory models that emphasise proactive governance and multilayered security. It is crucial to develop strong, sector-specific cybersecurity policies in order not only to protect national health infrastructures but also to promote a culture of digital safety and resilience across the globe. As cyberattacks continue to increase in frequency and severity across the Middle East and Africa, cybersecurity compliance has become more important than ever before. 

As hospitals and medical service providers are responsible for the stewardship of sensitive patient data, digital infrastructure and life-saving technologies, it is important that they adhere to stringent cybersecurity regulations, as this is not just a legal requirement. There are so many regulatory frameworks out there that offer a structured approach to risk management by requiring best practices in data protection, threat monitoring, and incident response, as well as implementing regulations based on the Abu Dhabi Healthcare Information and Cyber Security (ADHICS) standards. 

Amidst the rapid progress of digital transformation across the Middle East, the region continues to face enormous challenges when it comes to protecting healthcare and public infrastructures from the ever-increasing number of cyber threats, which include ransomware, phishing, and data breaches. As a critical defence mechanism, compliance initiatives provide an important means of reducing vulnerabilities, ensuring accountability, and ensuring continuity of care despite cyber disruptions by introducing standard safeguards. 

Several regional cybersecurity guidelines, such as the one mandated by the Department of Homeland Security, mandate robust phishing protection protocols, which help to combat phishing attacks, and have proven to be one of the most common ways for threat actors to access institutional data, as well as patient results. 

By aligning their security frameworks with regulatory mandates such as ADHICS, healthcare institutions can minimise the impact of cyber incidents significantly. Aside from preventing large-scale data breaches, mitigating medical service delays caused by system outages, and strengthening public confidence that healthcare providers are capable of protecting patient information, there are many other benefits. 

As well, well-regulated cybersecurity postures establish a reputation for reliability and digital responsibility, which are key attributes in an environment where healthcare is highly interconnected and highly threatened. There is a growing urgency regarding cybersecurity compliance in other parts of the world, and not just in the Middle East.

Increasing cyber threats in scope and sophistication globally have made it necessary for other regions to adopt similar regulatory models emphasising proactive governance and multi-layered defences as the threat grows. A strong,sector-specific cybersecurity policy that is sector-specific is crucial not only to safeguard national health infrastructures but also to promote a culture of digital security and resilience throughout the entire world. 

Cyberattacks are becoming increasingly targeted, persistent, and damaging, especially against healthcare systems, which makes it imperative to implement robust, proactive cybersecurity measures. Recent incidents in Middle Eastern and African countries have exposed the vulnerabilities in the digital infrastructure, as well as a widespread underestimation of the threat of ofcybercrimee at the institutional level that is occurring in these regions.

Cybersecurity cannot be treated as a technical afterthought anymore; it has to be woven into the very fabric of business strategy and executive decision-making by organisations. A comprehensive, multilayered approach is needed to respond to this shift, including the use of cutting-edge technologies such as artificial intelligence-driven threat intelligence, robust governance models, risk assessments carried out by third parties, and simulation-based incident response planning systems. 

By empowering employees at all levels of the organisation through continuous education and accountability, cyber resilience can also be built, and security becomes a shared organizational responsibility, which will make cybersecurity a shared organisational responsibility. At the same time, regulators need to come up with agile, enforceable frameworks that evolve in line with changing threats. 

For cybercrime syndicates to continue to thrive, stronger cross-border collaboration, sector-specific mandates, and strict compliance oversight are essential measures to counteract their increasing influence. As a result of a hyperconnected world, being able to anticipate, withstand, and recover from cyber incidents is more than simply a competitive advantage; it is a necessary component of maintaining trust, continuity, and national security in an increasingly interconnected world.
Read more »
pins
AT&T Data Breach Passwords pins

AT&T Customers at Risk Again After New Data Leak

 




AT&T customers are once more facing serious security concerns following reports of a fresh leak involving their personal information. This comes after the telecom company experienced multiple data breaches last year.


Previous Data Breaches Raised Alarms

In 2024, AT&T reported two major security incidents. The first breach, which took place in March, affected over 70 million people. Sensitive details like social security numbers, home addresses, phone numbers, and birth dates were stolen and later found for sale on the dark web.

Just a month later, another breach occurred. Hackers reportedly gained access to AT&T’s Snowflake cloud platform, which allowed them to collect call and text records from a large number of AT&T users. Some sources later claimed that AT&T paid the hackers a ransom of approximately $370,000 to prevent the data from being exposed, but this detail remains unconfirmed.

These incidents increased the risk of identity theft, scams, and phishing attempts targeting AT&T customers. The company later provided those affected with a free one-year subscription to identity protection services.


New Customer Data Surfaces Online

Recently, another batch of customer data—belonging to around 86 million people—has appeared on the dark web. The leaked information includes names, birth dates, phone numbers, email addresses, home addresses, and social security numbers, raising fresh concerns about fraud and misuse.

AT&T responded by saying that the data seems to be from the earlier breach in March 2024 and is likely being recirculated by cybercriminals looking to make money. According to the company, their teams are fully investigating this recent exposure and law enforcement has been notified.


Why Customers Should Stay Alert

Data breaches have been rising sharply in the United States. A report by the Identity Theft Resource Center shows that over 1 billion people were affected by data leaks in just the first half of 2024—a massive increase compared to the previous year.

Even if this recent leak involves old data, the danger is still real. Hackers can combine stolen information to create fake identities, apply for loans, open accounts, or carry out other fraudulent activities.


Steps to Protect Yourself

AT&T customers and anyone affected by data breaches should take these precautions:

1. Change passwords and PINs immediately, especially for bank accounts and financial services.

2. Avoid reusing old passwords and set strong, unique ones for each account.

3. Enable two-factor authentication for extra security where possible.

4. Monitor bank and credit accounts closely for any unusual or suspicious activity.

5. Place a fraud alert on your credit file to warn lenders of potential identity theft. This is free and stays active for one year, with options to renew.

6. Consider freezing your credit report to prevent new accounts from being opened in your name.


It’s essential for all consumers to remain careful and take quick action to protect their personal information in today’s rising cyber threat landscape.

Read more »
protecting sensitive data
Chinese Data Breach Data Leak data security Data Surveillance database Database Breach Personal Information protecting sensitive data

Massive Data Leak Exposes Billions of Records in Suspected Chinese Surveillance Database

 

Cybersecurity experts have uncovered a massive trove of sensitive information left exposed online, potentially placing millions of individuals at significant risk. The discovery, made by researchers from Cybernews in collaboration with SecurityDiscovery.com, revealed an unsecured database totaling 631 gigabytes—containing an estimated four billion individual records. 

The open instance, which lacked any form of password protection, was quickly taken offline once the exposure was reported, but experts remain unsure about how long it had remained publicly accessible. The data, according to the investigation, appears to primarily concern Chinese citizens and users, with entries collected from various platforms and sources. 

Cybernews researchers believe this is not a random collection, but rather a systematically curated database. They described it as a tool capable of constructing detailed behavioral, social, and financial profiles of nearly any individual included in the records. The structured and diverse nature of the data has led analysts to suspect that the repository may have been created as part of a broader surveillance or profiling initiative. 

Among the most alarming elements of the database is the presence of extensive personally identifiable information (PII). The exposed details include full names, birth dates, phone numbers, financial records, bank card data, savings balances, debt figures, and personal spending patterns. Such information opens the door to a wide range of malicious activities—ranging from identity theft and financial fraud to blackmail and sophisticated social engineering attacks. 

A large portion of the exposed records is believed to originate from WeChat, the popular Chinese messaging app, which accounts for over 805 million entries. Another 780 million records relate to residential data tied to specific geographic locations. Meanwhile, a third major portion of the database labeled “bank” contains around 630 million records of financial and sensitive personal data. 

If confirmed, the scale of this leak could surpass even the National Public Data breach, one of the most significant data security incidents in recent memory. Experts are particularly troubled by the implications of a centralized data cache of this magnitude—especially one that may have been used for state-level surveillance or unauthorized commercial data enrichment. 

While the server hosting the information has been taken offline, the potential damage from such an exposure may already be done. Investigators continue to analyze the breach to determine its full impact and whether any malicious actors accessed the data while it was left unsecured.
Read more »
Ransomwares
Cyberattack Data Breach Data Leak data security Employee Data Healthcare Interlock gang Interlock ransomware Kettering Health Ransomware attack Ransomware group Ransomwares

Kettering Health Ransomware Attack Linked to Interlock Group

 

Kettering Health, a prominent healthcare network based in Ohio, is still grappling with the aftermath of a disruptive ransomware attack that forced the organization to shut down its computer systems. The cyberattack, which occurred in mid-May 2025, affected operations across its hospitals, clinics, and medical centers. Now, two weeks later, the ransomware gang Interlock has officially taken responsibility for the breach, claiming to have exfiltrated more than 940 gigabytes of data.  

Interlock, an emerging cybercriminal group active since September 2024, has increasingly focused on targeting U.S.-based healthcare providers. When CNN first reported on the incident on May 20, Interlock had not yet confirmed its role, suggesting that ransom negotiations may have been in progress. With the group now openly taking credit and releasing some of the stolen data on its dark web site, it appears those negotiations either failed or stalled. 

Kettering Health has maintained a firm position that they are against paying ransoms. John Weimer, senior vice president of emergency operations, previously stated that no ransom had been paid. Despite this, the data breach appears extensive. Information shared by Interlock indicates that sensitive files were accessed, including private patient records and internal documents. Patient information such as names, identification numbers, medical histories, medications, and mental health notes were among the compromised data. 

The breach also impacted employee data, with files from shared network drives also exposed. One particularly concerning element involves files tied to Kettering Health’s in-house police department. Some documents reportedly include background checks, polygraph results, and personally identifiable details of law enforcement staff—raising serious privacy and safety concerns. In a recent public update, Kettering Health announced a key development in its recovery process. 

The organization confirmed it had restored core functionalities of its electronic health record (EHR) system, which is provided by healthcare technology firm Epic. Officials described this restoration as a significant step toward resuming normal operations, allowing teams to access patient records, coordinate care, and communicate effectively across departments once again. The full scope of the breach and the long-term consequences for affected individuals still remains uncertain. 

Meanwhile, Kettering Health has yet to comment on whether Interlock’s claims are fully accurate. The healthcare system is working closely with cybersecurity professionals and law enforcement agencies to assess the extent of the intrusion and prevent further damage.
Read more »
Subscribe to: Posts (Atom)