Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Ransomware attack. Show all posts
Supply chain vulnerability
Airport Cyberattack Aviation Cyber Threats Collins Aerospace Hack Critical Infrastructure Security Cybersecurity Breach Data Extortion Digital Resilience Ransomware attack Supply chain vulnerability

Collins Aerospace Deals with Mounting Aftermath of Hack


One of the most disruptive cyber incidents to have hit Europe's aviation sector in recent years was a crippling ransomware attack that occurred on September 19, 2025, causing widespread chaos throughout the continent's airports.  

The disruption was not caused by adverse weather, labour unrest or mechanical failure but by a digital breakdown at the heart of the industry's technological core. The Collins Aerospace MUSE platform, which is used for passenger check-ins and baggage operations at major airport hubs including Heathrow, Brussels, Berlin, and Dublin, unexpectedly went down, leading airports to revert to paper-based, manual procedures. 

There was confusion in the terminals and gate agents resorted to handwritten manifests and improvised coordination methods to handle the surge, while thousands of passengers stranded in transit faced flight cancellations and delays. While flight safety systems remained unaffected, and a suspect (a British national) was apprehended within a few days of the attack, it also exposed an increasingly frightening vulnerability in aviation's growing reliance on interconnected digital infrastructure. 

This ripple effect revealed how one breach of security could cause shockwaves throughout the entire ecosystem of insurers, logistics companies, and national transport networks that are all intertwined with the digital backbone of air travel itself, far beyond an aviation issue. 

In the aftermath of the Collins Aerospace cyberattack, the crisis became worse when on Sunday, a group linked to Russian intelligence and known as the Everest Group claimed to have accessed sensitive passenger information allegedly stolen by Dublin Airport and claimed to have been possessed by the group. This group, which operates on the dark web, announced that they had acquired 1.5 million passenger records and threatened to release the data unless a ransom was paid by Saturday evening before releasing the data. 

It has been reported that Everest, which had earlier claimed credit for breaching systems connected to Collins Aerospace's MUSE software on October 17, believes that the security breach occurred between September 10 and 11, using credentials obtained from an insecure FTP server in order to infiltrate the company's infrastructure. 

On September 19, Collins Aerospace shut down affected servers that blocked cybercriminals from accessing these servers, according to the cybercriminals who claimed their access to those servers was later stopped. This move occurred simultaneously with a wide array of operational outages in major European airports including Heathrow, Berlin Brandenburg, Brussels, and Dublin. 

A spokesperson for the Dublin Airport Authority (DAA) confirmed that a probe has been initiated in response to the mounting concerns regarding the incident, as well as in coordination with regulators and impacted airlines. It should be pointed out that as of yet no evidence has been found of a direct hacking attack on DAA's internal systems, indicating that the dataset exposed primarily consists of details regarding passenger boarding for flights departing Dublin Airport during the month of August.

While this happened, ENISA, the European Union Agency for Cybersecurity, categorised the Collins Aerospace hack as a ransomware attack, which underlined the escalation of sophistication and reach of cybercriminals targeting critical aviation infrastructure across the globe. There have been signs of gradual recovery as European airports have struggled to regain operational stability since the Collins Aerospace cyber incident. 

Although challenges persisted throughout the days of the cyberattack, signs of gradual recovery did emerge. While flight schedules at London's Heathrow airport and Berlin Brandenburg airport had begun to stabilize on Sunday, Brussels Airport continued to experience significant disruptions. A statement issued by Brussels Airport on Monday stated that it had requested airlines cancel about half of the 276 departures scheduled for Monday due to the non-availability of Collins Aerospace's new secure check-in software, which had not been available for the previous few days.

As manual check-in procedures remained in place, the airport warned that cancellations and delays were likely to continue until full digital functionality had been restored. In spite of the ongoing disruptions, airport authorities reported that roughly 85% of weekend flights operated, which was made possible by ensuring additional staffing from airline partners and ensuring that the online check-in and self-service baggage system were still operational, according to Airport Authority reports. 

The airport’s spokesperson Ihsane Chioua Lekhli explained that the cyberattack impacted only the computer systems being used at the counters staffed by employees, and that in order to minimize the inconvenience to passengers, backup processes and even laptops have been used as workarounds.

It is important to note that RTX Corporation, the parent company of Collins Aerospace, refused to comment on this matter in a previous statement issued on Saturday, when RTX Corporation acknowledged the disruption and said it was working to fully restore its services as soon as possible. According to the company, the impact will only be felt by electronic check-in and baggage drop and can be minimized by manual operations. 

During the weekend, Heathrow and Brandenburg airports both encouraged passengers to check their flight statuses before arriving at the airport, as well as to take advantage of online or self-service options to cut down on traffic. In its latest communication, Heathrow Airport stated that it was working with airlines "to recover from Friday's outage," stressing that despite the delays, a majority of scheduled flights were able to run throughout the weekend despite the delay. 

There has been a broader discussion around the fragility of digital supply chains and the increasing risk that comes with vendor dependency as a result of the Collins Aerospace incident. Increasingly, ransomware and data extortion groups are exploiting third-party vulnerabilities in order to increase the likelihood of a systemic outage, rather than an isolated cyber event. 

An analysis by industry analysts indicates that the true differentiator between organizations that are prepared, visible, and quick to respond during such crises lies in their ability to deal with them quickly, and in the ability to anticipate problems before they arise. According to Resilience's cybersecurity portfolio, only 42% of ransomware attacks in 2025 were followed by incurred claims, a significant decrease from 60% in 2024.

According to experts, this progress is largely due to the adoption of robust backup protocols, periodic testing, and well-defined business continuity frameworks, which are the foundation of this improvement. However, broader industry figures paint a more worrying picture. Approximately 46% of organizations that have been affected by ransomware opted to pay ransoms to retrieve data, according to Sophos' State of Ransomware report, while in the Resilience dataset, the number of affected organizations paid ransoms fell from 22% in 2024 to just 14% in 2025.

This contrast illustrates the fact that companies that have tested recovery capabilities are less likely to succumb to extortion demands because they have viable options for recovering their data. A new approach to cybersecurity has emerged – one that is based on early detection, real-time threat intelligence, and preemptive mitigation. Eye Security uncovered a critical vulnerability in Microsoft SharePoint in July 2025 and issued targeted alerts in response to the vulnerability. This proactive approach enabled Eye Security to scan its client ecosystem, alert its clients, and contain active exploitation attempts before significant damage could occur. 

According to experts, Collins Aerospace's breach serves as a lesson for what happens when critical vendors fail in a network that is interconnected. A recent outage that crippled airports across Europe was more than just an aviation crisis; it was an alarming reminder of the concentration risk that cloud-based and shared operating technologies carry across industries as well. 

Organizations are increasingly reliant on specialized vendors to manage essential systems in order to ensure their success, so the question isn't if a major outage will occur again, but whether businesses have the resilience infrastructure to stay operational if it happens again. It is clear from the Collins Aerospace incident that cybersecurity is no longer a separate IT concern, but rather a core component of operational continuity. 

It stands as a defining moment for digital resilience in the evolving narrative. The emphasis in navigating this era of global infrastructure disruption must shift to building layered defense ecosystems, combining predictive intelligence, rigorous vendor vetting, and a real-time crisis response framework, as businesses navigate through the challenges of a single vendor outage disrupting global infrastructure. 

In the end, the lesson is clear: resilience is not built when disruption happens but in anticipation of it, ensuring that when the next digital storm hits, we are prepared, not panicked.
Read more »
VMO Incident
cyber resilience Cybersecurity Breach Data Privacy Data protection Digital Infrastructure Hong Kong Security Network Security Privacy Ransomware attack VMO Incident

Mobdro Pro VPN Under Fire for Compromising User Privacy

 


A disturbing revelation that highlights the persistent threat that malicious software poses to Android users has been brought to the attention of cybersecurity researchers, who have raised concerns over a deceptive application masquerading as a legitimate streaming and VPN application. Despite the app's promise that it offers free access to online television channels and virtual private networking features—as well as the name Modpro IPTV Plus VPN—it hides a much more dangerous purpose.

It is known as Mobdro Pro IPTV Plus VPN. Cleafy conducted an in-depth analysis of this software program and found that, as well as functioning as a sophisticated Trojan horse laced with Klopatra malware, it is also able to compromise users' financial data, infiltrating devices, securing remote controls, and infecting devices with Klopatra malware. 

Even though it is not listed in Google Play, it has spread through sideloaded installations that appeal to users with the lure of free services, causing users to download it. There is a serious concern among experts that those who install this app may unknowingly expose their devices, bank accounts, and other financial assets to severe security risks. At first glance, the application appears to be an enticing gateway to free, high-quality IPTV channels and VPN services, and many Android users find the offer hard to refuse. 

It is important to note, however, that beneath its polished interface lies a sophisticated banking Trojan with a remote-access toolkit that allows cybercriminals to control almost completely infected devices through a remote access toolkit. When the malware was installed on the device, Klopatra, the malware, exploiting Android's accessibility features, impersonated the user and accessed banking apps, which allowed for the malicious activity to go unnoticed.

Analysts have described the infection chain in a way that is both deliberate and deceptive, using social engineering techniques to deceive users into downloading an app from an unverified source, resulting in a sideload process of the app. Once installed, what appears to be a harmless setup process is, in fact, a mechanism to give the attacker full control of the system. 

In analyzing Mobdro Pro IPTV Plus VPN further, the researchers have discovered that it has been misusing the popularity of the once popular streaming service Mobdro (previously taken down by Spanish authorities) to mislead users and gain credibility, by using the reputation of the once popular streaming service Mobdro. 

There are over 3,000 Android devices that have already been compromised by Klopatra malware, most of which have been in Italy and Spain regions, according to Cleafy, and the operation was attributed to a Turkish-based threat group. A group of hackers continue to refine their tactics and exploit public frustration with content restrictions and digital surveillance by using trending services, such as free VPNs and IPTV apps. 

The findings of Cleafy are supported by Kaspersky's note that there is a broader trend of malicious VPN services masquerading as legitimate tools. For example, there are apps such as MaskVPN, PaladinVPN, ShineVPN, ShieldVPN, DewVPN, and ProxyGate previously linked to similar attacks. In an effort to safeguard privacy and circumvent geo-restrictions online, the popularity of Klopatra may inspire an uproar among imitators, making it more critical than ever for users to verify the legitimacy of free VPNs and streaming apps before installing them. Virtual Private Networks (VPNs) have been portrayed for some time as a vital tool for safeguarding privacy and circumventing geo-restrictions. 

There are millions of internet users around the world who use them as a way to protect themselves from online threats — masking their IP addresses, encrypting their data traffic, and making sure their intercepted communications remain unreadable. But security experts are warning that this perception of safety can sometimes be false.

In recent years, it has become increasingly difficult to select a trustworthy VPN, even when downloading it directly from official sites, such as the Google Play Store, since many apps are allegedly compromising the very privacy they claim to protect, which has made the selection process increasingly difficult. In the VPN Transparency Report 2025, published by the Open Technology Fund, significant security and transparency issues were highlighted among several VPN applications that are widely used around the world. 

During the study, 32 major VPN services collectively used by over a billion people were examined, and the findings revealed opaque ownership structures, questionable operational practices, and the misuse of insecure tunnelling technologies. Several VPN services, which boasted over 100 million downloads each, were flagged as particularly worrying, including Turbo VPN, VPN Proxy Master, XY VPN, and 3X VPN – Smooth Browsing. 

Several providers utilised the Shadowsocks tunnelling protocol, which was never intended to be private or confidential, and yet was marketed as a secure VPN solution by researchers. It emphasises the importance of doing users' due diligence before choosing a VPN provider, urging users to understand who operates the service, how it is designed, and how their information is handled before making a decision. 

It is also strongly advised by cybersecurity experts to have cautious digital habits, including downloading apps from verified sources, carefully reviewing permission requests, installing up-to-date antivirus software, and staying informed on the latest cybersecurity developments through trusted cybersecurity publications. As malicious VPNs and fake streaming platforms become increasingly important gateways to malware such as Klopatra, awareness and vigilance have become increasingly important defensive tools in the rapidly evolving online security landscape. 

As Clearafy uncovered in its analysis of the Klopatra malware, the malware represents a new level of sophistication in Android cyberattacks, utilising several sophisticated mechanisms to help evade detection and resist reverse engineering. As opposed to typical smartphone malware, Klopatra permits its operators to fully control an infected device remotely—essentially enabling them to do whatever the legitimate user is able to do on the device. 

It has a hidden VNC mode, which allows attackers to access the device while keeping the screen black, making them completely unaware of any active activities going on in the device. This is one of the most insidious features of this malware. If malicious actors have access to such a level of access, they could open banking applications without any visible signs of compromise, initiate transfers, and manipulate device settings without anyone noticing.

A malware like Klopatra has strong defensive capabilities that make it very resilient. It maintains an internal watchlist of popular Android security applications and automatically attempts to uninstall them once it detects them, ensuring that it stays hidden from its victim. Whenever a victim attempts to uninstall a malicious application manually, they may be forced to trigger the system's "back" action, which prevents them from doing so. 

The code analysis and internal operator comments—primarily written in Turkish—led investigators to trace the malware’s origins to a coordinated threat group based in Turkey, where most of their activities were directed towards targeting Italian and Spanish financial institutions. Cleafy's findings also revealed that the third server infrastructure is carrying out test campaigns in other countries, indicating an expansion of the business into other countries in the future. 

With Klopatra, users can launch legitimate financial apps and a convincing fake login screen is presented to them. The screen gives the user the appearance of a legitimate login page, securing their credentials via direct operator intervention. The campaign evolved from a prototype created in early 2025 to its current advanced form in 2035. This information is collected and then used by the attackers in order to access accounts, often during the night when the device is idle, making suspicions less likely. 

A few documented examples illustrate that operators have left internal notes in the app's code in reference to failed transactions and victims' unlock patterns, which highlights the hands-on nature of these attacks. Cybersecurity experts warn that the best defence against malware is prevention - avoiding downloading apps from unverified sources, especially those that offer free IPTV or VPN services. Although Google Play Protect is able to identify and block many threats, it cannot detect every emerging threat. 

Whenever an app asks for deep system permissions or attempts to install secondary software, users are advised to be extremely cautious. According to Cleafy's research, curiosity about "free" streaming services or privacy services can all too easily serve as a gateway for full-scale digital compromise, so consumers need to be vigilant about these practices. In a time when convenience usually outweighs caution, threats such as Klopatra are becoming increasingly sophisticated.

A growing number of cybercriminals are exploiting popular trends such as free streaming and VPN services to ensnare unsuspecting users into ensnaring them. As a result, it is becoming increasingly essential for each individual to take steps to protect themselves. Experts recommend that users adopt a multi-layered security approach – pairing a trusted VPN with an anti-malware tool and enabling multi-factor authentication on their financial accounts to minimise damage should their account be compromised. 

The regular review of system activity and app permissions can also assist in detecting anomalies before they occur. Additionally, users should cultivate a sense of scepticism when it comes to offers that seem too good to be true, particularly when they promise unrestricted access and “premium” services without charge. In addition, organisations need to increase awareness campaigns so consumers are able to recognise the warning signs of fraudulent apps. 

The cybersecurity incidents serve as a reminder that cybersecurity is not a one-time safeguard, but must remain constant through vigilance and informed decisions throughout the evolving field of mobile security. Awareness of threats remains the first and most formidable line of defence as the mobile security battlefield continues to evolve.
Read more »
Ransomware attack
Aviation System Collins Aerospace Cyber Attacks European Flights Ransomware attack

Hundreds of European Flights Disrupted by Major Ransomware Attack

 

A major ransomware attack recently caused widespread disruption to airline operations across several key European airports, resulting in hundreds of flight cancellations and delays for passengers. The incident highlights the growing vulnerability of the aviation industry due to its heavy reliance on technology, especially third-party software for critical services such as check-in and baggage handling.

The attack specifically targeted the popular MUSE check-in and boarding system, developed by US-based Collins Aerospace, a subsidiary of RTX. European cybersecurity agency ENISA confirmed on September 22 that ransomware had affected MUSE’s operations, forcing airports in Berlin, Brussels, and London Heathrow to revert to manual systems. 

The impact was severe: Brussels Airport canceled half of its Sunday and Monday flights, and Berlin Airport reported delays exceeding an hour due to nonfunctional check-in systems. At London Heathrow, Terminal 4 experienced significant disruption, with departures delayed by up to two hours and ongoing manual check-ins.

While Collins Aerospace claimed that manual processes could mitigate problems, the scale of the disruptions proved otherwise. Staff struggled to manage operations without technological support, underscoring the risks posed by dependence on software and the critical need for robust cybersecurity measures. Restoration of MUSE was nearly complete by Monday, yet some airports like Dublin experienced minimal disruption, showing varying impacts across different locations.

The broader risk is amplified by the fact that MUSE is used by over 300 airlines at 100 airports worldwide, raising concerns about the possibility of further attacks if vulnerabilities remain unaddressed. Experts caution that a compromised update could still threaten other airports, or that attackers may use initial breaches to extort further ransom from software providers.

This incident is part of a dramatic surge in cyberattacks facing the aviation sector, which saw a staggering 600% increase in 2025 compared to the previous year, according to French aerospace company Thales. Experts point out the economic and geopolitical stakes involved, advocating for a comprehensive cybersecurity strategy, adoption of AI tools, and industry-wide collaboration to address threats. 

The attack highlights that cyberattacks may have objectives beyond operational disruption, potentially targeting sensitive data and system integrity and emphasizing the urgent need for more resilient aviation security protocols.
Read more »
VMO Incident
cyber resilience Cybersecurity Breach Data protection Digital Infrastructure Hong Kong Security Network Security Privacy Ransomware attack VMO Incident

Cheung Sha Wan Wholesale Market Faces Major Data Breach Impacting Thousands

 


As part of an alarming incident that highlights the growing threat of cyberattacks on public sector systems, the Vegetable Marketing Organisation (VMO) reported that it was targeted by a ransomware attack that disrupted the Cheung Sha Wan Vegetable Wholesale Market's operations through a ransomware attack on a segment of its computer infrastructure. 

Upon discovering the breach on October 13, immediate suspension of network service was imposed as a precautionary measure to contain the intrusion and safeguard critical data. VMO announced on Wednesday that the affected servers were quickly isolated from external access and alerted the Hong Kong Police, the Hong Kong Computer Emergency Response Team Coordination Centre, and the Office of the Privacy Commissioner for Personal Data to the incident. 

A preliminary study suggests that the attack had a significant effect on the gate and accounting systems of the market, potentially exposing the personal information of approximately 7,000 registered users to the outside world. Founded in 1946 to ensure that local produce will be available continuously, the VMO, a non-profit organisation established to ensure this, has begun a comprehensive investigation into the extent of the data breach to determine whether any personal information has been compromised, and it has promised to inform individuals if any personal information is found to be at risk.

As of Thursday, the organisation's official website has remained inaccessible as a result of the ongoing disruption that the cyber incident has caused. After detecting the breach, Vegetable Marketing Organisation engaged an external contractor to assist them with restoring the system and supporting the ongoing investigation into the attack after the breach had been discovered. 

Although the core operations of the Cheung Sha Wan Vegetable Wholesale Market remain unaffected, the company has announced that it will temporarily utilise manual processes to manage invoicing and payment procedures, ensuring continuity of operations. Hong Kong's digital resilience has been questioned in the wake of a series of cybersecurity breaches that have struck numerous prominent institutions in the city in recent years. 

These have included Cyberport, the Consumer Council, and the Hong Kong Post, raising concerns about the city's digital resilience in general. There has been an increase in cyber threats over the past few years, which has led lawmakers to pass legislation to strengthen critical infrastructure security, including penalties of up to HK$5 million for lapses in cybersecurity compliance, resulting in an increase in cybersecurity threats. 

In a statement made by the VMO, it was noted that it would conduct a thorough review of the incident and that reinforced measures would be implemented to safeguard its systems from future attacks. The Vegetable Marketing Organisation has hired an external contractor to assist with restoring its systems, thereby accelerating the recovery process and facilitating the investigation.

It was acknowledged by the organisation that, despite continuing to operate daily, certain administrative functions, such as invoicing and payment processing, are being handled manually temporarily so that business continuity can be maintained. Hong Kong has been experiencing an increasing number of cybersecurity breaches in recent years, including Cyberport, the Consumer Council, and Hong Kong Post, which have put major institutions in a state of anxiety. 

As a result, critical infrastructure remains vulnerable to cyberattacks, which has been highlighted in recent months. Recently, the city's legislature approved a new measure aimed at bolstering defences against cyberattacks, with penalties of up to HK$5 million for non-compliance outlined in the legislation. VMO reiterated its commitment to digital security, and that it places a high level of importance on cybersecurity, and that a comprehensive review of the event would be conducted, along with enhancements to network safeguards to prevent similar events from recurring. 

Considering the recent incident at the Cheung Sha Wan Vegetable Wholesale Market, it has become increasingly apparent to me that Hong Kong's public and semi-public sectors need to strengthen cybersecurity resilience urgently.

The security experts have long warned that as digital systems are becoming increasingly integrated into key components of the services that consumers rely on, the effects of cyberattacks can quickly escalate from data breaches to disruptions in the regular functioning of processes and the public trust in them. Several industry observers believe that organisations like the VMO should go beyond enhancing only technical safeguards and make a concerted effort to train their staff regularly, to perform continuous vulnerability assessments, and to update their monitoring frameworks in real time to detect anomalies early. 

As a supplement to this, the establishment of cross-agency collaboration and information-sharing mechanisms could also enhance the city's overall preparedness to handle similar attacks in the future. Despite the VMO's quick response and transparency in handling the incident, it highlights a crucial national imperative-the strengthening of cyber hygiene and cultivation of a culture of sensitive information across all levels of governance and commerce in order to mitigate the immediate risks. 

The resilience of Hong Kong's institutions will be determined by how proactive vigilance is managed against cyber-attacks as much as it will be determined by their ability to defend themselves against technological disruption.
Read more »
Ransomware attack
Asahi Beer Cyber Attacks Japanese Firm Qilin Ransomware attack

Asahi Beer Giant Hit by Cyberattack, Forced to Manual Operations

 

Japanese brewing giant Asahi Group Holdings, the manufacturer of Japan's most popular beer Super Dry, suffered a devastating ransomware attack in late September 2025 that forced the company to revert to manual operations using pen, paper, and fax machines. The cyberattack was first disclosed on September 29, when the company announced a system failure that disrupted ordering, shipping, and customer service operations across its 30 domestic breweries in Japan.

The ransomware incident, later claimed by the Qilin hacking group, forced Asahi to temporarily shut down nearly all its Japanese production facilities. The attack crippled the company's online systems, leaving vendors and business owners without access to information as call centers and customer service desks were closed. Asahi was forced to process orders manually using traditional paper-based methods and fax machines to prevent potential beverage shortages across the country.

Initial investigations revealed traces suggesting potential unauthorized data transfer, and the company later confirmed on October 14 that personal information may have been compromised. The Qilin ransomware gang claimed responsibility for the breach, alleging they stole approximately 27 gigabytes of data containing financial documents, budgets, contracts, employee personal information, and company development forecasts. Samples of allegedly stolen data included employee ID cards and other personal documents.

The cyberattack had widespread operational consequences beyond production disruptions. Asahi postponed its quarterly financial results for the third quarter of fiscal year 2025 because the incident disrupted access to accounting-related data and delayed financial closing procedures. Recovery efforts involved collaboration between Asahi's Emergency Response Headquarters, cybersecurity specialists, and Japanese cybercrime authorities.

While all breweries have partially resumed operations and restarted production, computer systems remain non-operational with no clear timeline for full recovery. The company has committed to promptly notifying affected individuals and implementing appropriate measures in accordance with personal data protection laws. This incident highlights Japan's vulnerability to ransomware attacks, as Japanese companies often have weaker cybersecurity defenses compared to other nations and are more likely to pay ransom demands.
Read more »
Third-Party Vendor Risk
Cyber Threats Cybersecurity Incident Digital Identity Theft Discord DataBreach Government ID Leak Information Security Privacy Ransomware attack SLH Third-Party Vendor Risk

Thousands of Government IDs at Risk Following Breach Involving Discord’s Verification Partner


Currently, one of the threats associated with digital identity verification can often be found in the form of cyberattacks targeting third-party service providers linked to Discord, with the result that sensitive personal data belonging to nearly 70,000 users may have been exposed. 

There has been a growing concern over the growing vulnerabilities surrounding databases created in compliance with online safety laws, which aim to protect minors, following the incident which affected a company responsible for managing customer support and mandatory age verification on behalf of the popular chat platform. 

A number of cybersecurity experts claim that this incident is part of a larger surge in attacks exploiting these newly developed compliance-driven data repositories that have been discovered in recent years. The company has confirmed that Discord's infrastructure and systems are secure. 

However, the compromised data is said to include government-issued ID documents like passports and driver's licenses, as well as names, email addresses, and limited credit card information, among others. While the company maintains that no payment information or account passwords have been accessed, some customer support communications have been exposed as well. 

During the past several months, a major cybersecurity breach has revealed a lack of trust on the part of third-party providers who are assigned the responsibility of protecting identity data -- a dependencies that continue to become a critical point of failure in today's interconnected digital ecosystems. 

In addition to government ID images, a further investigation into the breach has revealed that the attackers may have been able to access much more personal data beyond the images of government IDs, including the names of users, emails, contact information, IP addresses, and even correspondence with Discord's customer service representatives, among other things. 

Individuals familiar with the matter have reported that the perpetrators attempted to extort the company and demanded a ransom in exchange for the information they had stolen. Discord has confirmed that no credit card information or account passwords were compromised as a result of the incident.

In spite of the fact that the breach was initially disclosed last week, new information released on Wednesday suggests that up to 70,000 photo ID documents may have been exposed as a result. In a recent interview with a spokesperson for the Information Commissioner’s Office (ICO), the UK’s independent regulator responsible for handling data protection and privacy issues, it was confirmed that it had received a report from Discord and that they are currently reviewing the information provided. 

There has been an increase in the number of compromised photographs as a result of users submitting their identity to Discord's contracted customer service provider during age verification and account recovery appeals. These appeals are designed to ensure compliance with regulations restricting access to online services to individuals under the age of 18. 

As a result of the incident, we are reminded how extensive the consequences can be when consumer-facing digital platforms are compromised. A once-exclusive platform for gaming communities, Discord has now grown into one of the biggest communication platforms with over 200 million users daily, including businesses that use it to maintain customer relationships and community engagement, as well as manage customer interactions and engagement with customers. 

Originally named Scattered Lapsu$ Hunters (SLH), the group responsible for this attack originally identified itself as a group that was allegedly connected to several notorious cybercrime networks. Even though BleepingComputer reported that SLH had revised its account, directing suspicion towards another group with whom it is allegedly collaborating, after confirming the claim. 

It has been noted by experts that this type of overlapping affiliation is quite common among cybercriminal networks since they tend to share techniques, switch alliances, and interchangeable members in ways that blur attribution efforts. As Rescancharacterised it, SLH is a coalition that draws its tactics from Scattered Spider, Lapsu$, Sand hiHiny Hunters, well known for launching attacks on third parties, exploiting social engineering as a method of attacking vendors rather than deploying conventional malware. 

In almost two weeks, Discord released the news about the breach after revoking access to its support partner's systems and engaging the services of an external cybersecurity expert. The company has since notified affected users, emphasised that all official communication regarding the incident will be issued solely through its verified address, noreply@discord.com, reiterating that it will never contact users via phone calls or unsolicited messages. 

SLH (Scattered Lapsu$ Hunters) were reportedly responsible for the infiltration of the Zendesk instance on Discord starting on September 20, 2025, allegedly maintaining unauthorised access for roughly 58 hours. According to the hackers, the intrusion was triggered by a compromised account belonging to an outsourced business process provider's support agent—an incident that highlights the continuing threats that exist in third-party systems that have weak or stolen credentials. 

In the course of the attack, it has been reported that around 1.6 terabytes of data were stolen, including customer support tickets, partial payment records, and images used to verify identity. While the attacker initially demanded a ransom of $5 million, it was later dropped to $3.5 million, a negotiation tactic commonly used when victims refuse to comply with the attacker's demands. 

According to cybersecurity analysts, the breach demonstrates organisations can be exposed to significant vulnerabilities inadvertently by third-party vendors even if they maintain robust internal security defences. In many cases, attacks target external supply chains and support partners as their security protocols may differ from those of the primary organisation, so attackers often take advantage of those weaknesses. 

According to experts, the compromised dataset in this case contains sensitive identifiers, billing information, and private message exchanges - data that users normally regard as highly confidential. Experts have emphasised that this isn't the only incident associated with Discord in recent years. As a result of another support agent's credentials being compromised, the platform disclosed a similar breach in March 2023, exposing emails and attachments submitted by customers through support tickets. 

The recurrence of such events has prompted stronger vendor management policies to be established, as well as multifactor authentication for all contractor accounts, as well as stricter scrutiny on the access of sensitive information by third parties. Even a well-established platform like Discord remains vulnerable to cyberattacks if trust is extended beyond its digital walls. This is the lesson that has been learned from the Discord breach. 

A cybersecurity expert emphasised that the urgent need for companies to review their reliance on external vendors to handle sensitive verification data is becoming increasingly apparent as the investigation continues. To safeguard user privacy, it has become essential to strengthen contractual security obligations, implement strict credential management, and conduct periodic third-party audits. These steps are now seen as non-negotiable steps. 

As a result of this incident, individuals are reminded how crucial it is to take proactive measures such as enabling multi-factor authentication, verifying the authenticity of official communications, and monitoring their financial and identity activities for potential irregularities. With cyberattacks becoming more sophisticated and opportunistic, it is becoming increasingly crucial to use both vigilance on the part of individuals as well as corporate responsibility to prevent them. 

Ultimately, the Discord case illustrates a broader truth about the current digital landscape-security is no longer restricted to the company's own systems, but extends to all partners, platforms, and processes that are connected to them. The organisations must continue to balance compliance, convenience, and consumer trust, but the strength of the entire chain will ultimately depend on how well they can secure the weakest link.
Read more »
Ransomware attack
Data Breach Data Theft DCS J Group Ransomware attack

Ransomware Gang Claims Boeing, Samsung Supplier Breach in 11GB Data Theft

 

A ransomware group named J GROUP claims to have breached Dimensional Control Systems (DCS), stealing 11GB of sensitive data, including proprietary software architecture, client metadata, and internal security procedures. 

DCS, a Michigan-based provider of dimensional engineering software, serves major clients such as Boeing, Samsung, Siemens, and Volkswagen across aerospace, automotive, and electronics sectors.

Alleged data exposure

J GROUP published sample files on its leak site to substantiate the attack, comprising a text file and a compressed folder containing documents with employee names and expense reports. Cybernews researchers analyzed the samples but could not verify their authenticity, cautioning that cybercriminals often reuse data from past breaches to falsely support new extortion claims.

Company response and risks

As of the report, DCS has neither confirmed nor denied the breach, maintaining public silence. Local media outlets in Michigan contacted the company for comment but received no response. 

If the breach is confirmed, it could lead to severe consequences, including intellectual property theft, supply chain vulnerabilities, exposure of client data, and regulatory repercussions. The incident may also damage DCS’s reputation, eroding client trust and questioning its technical and security reliability.

Rising threat 

This incident aligns with a growing trend of ransomware attacks targeting third-party vendors to access high-value industrial clients. Previous attacks on firms like Nissan and Dell highlight similar tactics, where threat actors exploit service providers to infiltrate larger organizations. 

The alleged breach underscores the need for stringent cybersecurity measures across extended supply chains, particularly in manufacturing and engineering sectors reliant on specialized software. 

Organizations are urged to audit vendor security protocols and enhance monitoring for early threat detection. The situation remains ongoing, with no official statement from DCS as of publication.
Read more »
Ransomware attack
Australia Cyber Attacks pharma scam Ransomware attack

Toowoomba Pharmacy Targeted in Ransomware Attack

A pharmacy in Toowoomba, Queensland, has become the latest victim of a ransomware attack, highlighting growing concerns about the digital vulnerability of small businesses. 

The incident occurred last month when hackers gained access to the Friendlies Society Dispensary’s private IT systems. Authorities believe sensitive data stored on the system may have been compromised. 

A coordinated investigation is now underway, involving the National Office of Cyber Security, the Australian Cyber Security Centre, Services Australia, Queensland Health, the National Disability Insurance Agency, and the Department of Home Affairs. 

Bayden Johnson, Chief Executive Officer of the Friendlies Society Dispensary, said the organisation acted quickly once the attack was detected. “We immediately took steps to secure our systems and understand the nature of the incident,” he said. “Our priority now is to determine what information was accessed and ensure all necessary precautions are taken.” 

The pharmacy, which offers healthcare services and mobility support equipment, is cooperating fully with federal authorities. The Department of Home Affairs stated that Services Australia’s systems remain secure and were not affected by the breach. It added that ongoing monitoring is being carried out to detect any irregular activity. 

According to the Australian Signals Directorate (ASD), ransomware incidents account for 11 percent of all reported cyberattacks in the country. 

The ASD’s 2023–24 Annual Cyber Threat Report revealed that a cybercrime report is lodged roughly every six minutes, with small businesses reporting an average loss of $49,600 per attack. 

Associate Professor Saeed Akhlaghpour from the University of Queensland’s Cyber Research Centre said cybercriminals are constantly evolving their tactics. “Attackers are no longer just locking files; they are also stealing and leaking data. Ransomware can even be delivered through browsers, apps, or malicious file uploads,” he explained. 

Dr Akhlaghpour, who researches cybersecurity risks in the healthcare sector, said health organisations such as pharmacies, medical practices, and gyms often face higher risks due to inconsistent monitoring and handling of sensitive information. 

He noted that human error is still the leading cause of ransomware attacks, as employees often reuse passwords or click on unsafe links in haste. With the rise of AI-powered tools that make it easier for criminals to conduct large-scale attacks, he urged small business owners to invest in better cybersecurity systems and response plans. 

“Many breaches occur because of poor risk management and the absence of a clear response strategy,” he said. “Regular monitoring can prevent many of these problems.” 

Dr Akhlaghpour also advised businesses not to pay ransoms if they fall victim to an attack. “You cannot trust criminals. Paying the ransom rarely restores data and often leads to further targeting. Stolen data is frequently resold on the dark web,” he warned. 

Authorities continue to monitor the situation in Toowoomba as cybersecurity experts remind small business owners across Australia to take preventive measures and strengthen their defences against the growing threat of ransomware.
Read more »
Volvo
Data Breach DataCarry Miljödata Ransomware attack Volvo

Volvo NA Employee Data Exposed in Miljödata Ransomware Attack

 

Volvo North America recently disclosed that sensitive employee information was compromised following a ransomware attack targeting its HR software provider, Miljödata. The breach, attributed to the DataCarry ransomware group, exposed names and social security numbers of Volvo staff after cybercriminals infiltrated Miljödata’s cloud-hosted Adato system in August 2025.

The confirmation of Volvo’s affected data came on September 2, several days after Miljödata detected the intrusion on August 23. Miljödata responded by initiating an investigation, collaborating with cybersecurity experts, and enhancing security measures to prevent future incidents, while Volvo Group continues to closely monitor the evolving situation.

DataCarry claimed responsibility for the attack, posting Miljödata’s stolen files on a dark web site for download. Adato, a specialized HR platform used primarily to manage employee sick leave and rehabilitation, became the focal point of the attack. The fallout extended beyond Volvo, impacting other organizations and municipalities across Sweden, since around 80 percent of Sweden’s 290 municipalities use Miljödata’s software.

Some victims suffered broader data exposure, including phone numbers, addresses, gender, and employment details, depending on how they used Adato. According to the Swedish Herald’s prosecutor Sandra Helgadottir, about 1.5 million individuals were impacted, reflecting the large footprint of Miljödata’s clientele.

Swedish airline SAS, which employed Adato until June 2021, confirmed that current and former employees who joined before June 21, 2021, might have had personal and sick leave information exposed. The City of Stockholm was also affected, despite not operating live systems with Miljödata, with data related to workplace incident reporting and employee accounts among the compromised information.

The attack disrupted services in approximately 200 municipalities, and additional victims included several prominent universities such as Chalmers, Karlstad, Lunds, Linköping, Umeå, and the Swedish University of Agricultural Sciences, all of which reported being affected due to Adato usage. Uppsala University avoided the breach by running Adato on-premises.

This incident underscores the substantial downstream risks created by third-party vendor breaches, as malicious actors increasingly target interconnected systems holding large volumes of personal and employment data. Organizations affected are responding with investigations, security upgrades, and disclosures to regulatory authorities, highlighting the critical need to safeguard supply chain platforms and scrutinize cloud-hosted environments for vulnerabilities.
Read more »
Ransomware attack
Banking data leaks customer data compromise Cyber Attacks Data Leak Data protection data security insight leaked sensitive data Ransomware attack

Insight Partners Ransomware Attack Exposes Data of Thousands of Individuals

 

Insight Partners, a New York-based venture capital and private equity firm, is notifying thousands of individuals that their personal information was compromised in a ransomware attack. The firm initially disclosed the incident in February, confirming that the intrusion stemmed from a sophisticated social engineering scheme that gave attackers access to its systems. Subsequent investigations revealed that sensitive data had also been stolen, including banking details, tax records, personal information of current and former employees, as well as information connected to limited partners, funds, management companies, and portfolio firms. 

The company stated that formal notification letters are being sent to all affected parties, with complimentary credit monitoring and identity protection services offered as part of its response. It clarified that individuals who do not receive a notification letter by the end of September 2025 can assume their data was not impacted. According to filings with California’s attorney general, which were first reported by TechCrunch, the intrusion occurred in October 2024. Attackers exfiltrated data before encrypting servers on January 16, 2025, in what appears to be the culmination of a carefully planned ransomware campaign. Insight Partners explained that the attacker gained access to its environment on or around October 25, 2024, using advanced social engineering tactics. 

Once inside, the threat actor began stealing data from affected servers. Months later, at around 10:00 a.m. EST on January 16, the same servers were encrypted, effectively disrupting operations. While the firm has confirmed the theft and encryption, no ransomware group has claimed responsibility for the incident so far. A separate filing with the Maine attorney general disclosed that the breach impacted 12,657 individuals. The compromised information poses risks ranging from financial fraud to identity theft, underscoring the seriousness of the incident. 

Despite the scale of the attack, Insight Partners has not yet responded to requests for further comment on how it intends to manage recovery efforts or bolster its cybersecurity posture going forward. Insight Partners is one of the largest venture capital firms in the United States, with over $90 billion in regulatory assets under management. Over the past three decades, it has invested in more than 800 software and technology startups globally, making it a key player in the tech investment ecosystem. 

The breach marks a significant cybersecurity challenge for the firm as it balances damage control, regulatory compliance, and the trust of its investors and partners.
Read more »
Technology
AI training threat Artists&Clients hack LunaLock ransomware Ransomware attack stolen artwork Technology

Ransomware Group Uses AI Training Threats in Artists & Clients Cyberattack

 

Cybercriminals behind ransomware attacks are adopting new intimidation methods to push victims into paying up. In a recent case, the LunaLock ransomware gang has escalated tactics by threatening to sell stolen artwork for AI training datasets.

The popular platform Artists&Clients, which connects artists with clients for commissioned projects, was hacked around August 30. According to reports, a ransom note appeared on the site’s homepage stating: “All files have been encrypted and the site has been breached.” The attackers demanded at least $50,000 in Bitcoin or Monero, promising to delete stolen data and restore access once payment was made.

What sets this attack apart is the warning that stolen artwork could be handed over to “AI companies” to train large language models. This is especially alarming as Artists&Clients explicitly prohibits AI involvement on its platform. Security researcher Tammy Harper highlighted, “this is the first known instance of a ransomware group explicitly using AI training as a threat to extort victims.”

If the ransom is not paid, LunaLock claims it will leak sensitive information including personal data, commissions, and payment records—potentially triggering GDPR violations in Europe. While the group did not clarify how they would provide the artwork to AI firms, experts suggest they might simply publish an open database accessible to AI crawlers.

Currently, the Artists&Clients website is offline, leaving users anxious about compromised messages, transactions, and commissioned work. No official statement has been released by the platform. Harper emphasized that this tactic may hit creators especially hard, as many strongly oppose their work being exploited for AI training without consent or compensation.
Read more »
Ransomware attack
Cyber Fraud Data Stolen MathWorks Ransomware attack

MathWorks Confirms Ransomware Incident that Exposed Personal Data of Over 10,000 People

 




MathWorks, the company behind MATLAB and Simulink, has confirmed a ransomware attack that disrupted several of its online services and internal systems. The company said the disruption affected services customers use to sign in and manage software, and that it alerted federal law enforcement while investigating the incident. 

According to state notifications filed with regulators, the attack resulted in the unauthorized access and theft of personal information for 10,476 people. These filings list the full count reported to state authorities. 


What was taken and who is affected

The company’s notices explain that the records exposed vary by person, but may include names, postal addresses, dates of birth, Social Security numbers, and in some cases non-U.S. national ID numbers. In short, the stolen files could contain information that makes victims vulnerable to identity theft. 

MathWorks’ own statements and regulatory notices put the window of unauthorized access between April 17 and May 18, 2025. The company discovered the breach on May 18 and publicly linked the outage of several services to a ransomware incident in late May. MathWorks says forensic teams contained the threat and that investigators found no ongoing activity after May 18. 


What is not yet known 

MathWorks has not identified any named ransomware group in public statements, and so far there is no verified public evidence that the stolen data has been published or sold. The company continues to monitor the situation and has offered identity protection services for those notified. 


What you can do 

If you use MathWorks products, check your account notices and follow any enrollment instructions for identity protection. Monitor financial and credit accounts, set up fraud alerts if you see suspicious activity, and change passwords for affected services. If you receive unusual messages or requests for money or personal data, treat them with suspicion and report them to your bank or local authorities.

Keep an eye on financial activity: Regularly review your bank and credit card statements to spot unauthorized transactions quickly.

Consider credit monitoring or freezes: In countries where these services are available, they can help detect or prevent new accounts being opened in your name.

Reset passwords immediately: Update the password for your MathWorks account and avoid using the same password across multiple platforms. A password manager can help create and store strong, unique passwords.

Enable multi-factor authentication: Adding a second layer of verification makes it much harder for attackers to gain access, even if they have your login details.

Stay alert for phishing attempts: Be cautious of unexpected emails, calls, or texts asking for sensitive information. Attackers may use stolen personal details to make their messages appear more convincing.



Read more »
unauthorised access
Data Breach MTA Ransomware attack Security Breach unauthorised access

Maryland’s Paratransit Service Hit by Ransomware Attack

 

The Maryland Transit Administration (MTA), operator of one of the largest multi-modal transit systems in the United States, is currently investigating a ransomware attack that has disrupted its Mobility paratransit service for disabled travelers. 

While the agency’s core transit services—including Local Bus, Metro Subway, Light Rail, MARC, Call-A-Ride, and Commuter Bus—remain operational, the ransomware incident has left the MTA unable to accept new ride requests for its Mobility service, which is critical for individuals with disabilities who rely on specialized transportation. 

According to the MTA, the cybersecurity breach involved unauthorized access to certain internal systems. The agency is working closely with the Maryland Department of Information Technology to assess and mitigate the impact. Riders who had already scheduled Mobility trips prior to the attack will still receive their services as planned. However, until the issue is resolved, new bookings cannot be processed through the standard Mobility system.

In response to the disruption, the MTA is directing eligible customers to its Call-A-Ride program as an alternative. This service can be accessed online or by phone, providing a temporary solution for those in need of transportation while the Mobility system remains unavailable for new requests.

The agency has emphasized its commitment to resolving the incident quickly and securely, promising regular updates as more information becomes available. 

This incident is not isolated. Over the past two years, similar ransomware attacks have targeted paratransit and public transit services in multiple states, including Missouri and Virginia, often leaving municipalities to scramble for alternative solutions for disabled residents.

The MTA has stated that its primary focus is on ensuring the safety and security of both customers and employees. It is collaborating with government partners and media outlets to keep the public informed and to support affected communities throughout the recovery process. 

The MTA’s experience underscores the growing risk that ransomware poses to critical public infrastructure, particularly services that support vulnerable populations. As investigations continue, the agency urges customers to stay informed through official channels and to utilize available alternatives like Call-A-Ride until normal operations can resume.
Read more »
Vulnerabilities and Exploits
Business Security Data I/O Ransomware attack Supply Chain Vulnerabilities and Exploits

Data I/O Ransomware Attack Exposes Vulnerability in Global Electronics Supply Chain

 

Data I/O, a leading manufacturer specializing in device programming and security provisioning solutions, experienced a major ransomware attack in August 2025 that crippled core operations and raised industry-wide concerns about supply chain vulnerabilities in the technology sector.

The attack, first detected on August 16, 2025, used a sophisticated phishing campaign to compromise network credentials, enabling the attackers to exploit vulnerabilities in the company’s remote access systems and achieve lateral movement across network segments. 

This incident resulted in the encryption of critical proprietary data, including chip design schematics, manufacturing blueprints, sensitive communications, and firmware for products used by major clients such as Amazon, Apple, Google, and automotive manufacturers. 

Attack methodology 

Investigations mapped the attack to multiple MITRE ATT&CK techniques: T1566 for phishing, T1021 for remote services exploitation, T1486 for impact via data encryption, and possible use of T1078 via valid accounts. The attackers sent deceptive emails to Data I/O employees that tricked users into surrendering network credentials or accessing malicious links. After gaining access, the adversaries leveraged weaknesses in remote connectivity protocols to move laterally and encrypt essential files.

The ransomware incident caused widespread disruptions: internal and external communications, shipping, receiving, manufacturing production lines, and support functions were all impacted. The company activated incident response protocols, isolating affected systems and proactively taking critical platforms offline to prevent further spread. As of late August, some systems remained offline, without a clear timeline for full restoration. 

Broader implications 

Data I/O’s strategic role as a supply chain hub in electronics manufacturing made it a disproportionate target. Disruption reverberated across technology, automotive, and IoT sectors due to the company’s handling of security credentials and firmware for multi-billion-dollar products.

The incident underscores how ransomware operators increasingly target manufacturing entities, exploiting supply chain vulnerabilities to extract ransoms and maximize operational harm. The attackers reportedly demanded a ransom of $30 million, threatening to release encrypted data publicly if payment was not made within 72 hours. 

Data I/O engaged external cybersecurity experts and forensic professionals, initiated a full-scale investigation, and pledged transparency as more details emerged. The incident highlights urgent needs for improved remote access security, robust phishing defenses, and faster detection and response capabilities across the technology manufacturing sector. 

Analysts warn this attack may foreshadow future campaigns targeting critical infrastructure and high-tech supply chains, stressing the necessity for more resilient cybersecurity strategies.
Read more »
Ransomware attack
Cyber Security cybercrime Germany Einhaus Group insolvency mobile phone repair Ransomware attack

Einhaus Group Faces Insolvency After Devastating 2023 Ransomware Attack

 

German mobile phone insurance, repair, and logistics provider Einhaus Group has disclosed the severe financial toll of a crippling ransomware attack in 2023. At its peak, the company had a presence in more than 5,000 retail outlets across Germany, working with major telecom players such as Deutsche Telekom and 1&1, and generating annual revenues of up to €70 million.

In 2023, the notorious ransomware group “Royal” infiltrated the company’s systems, encrypting crucial data — including contracts, billing information, and internal communications — and bringing operations to a standstill. 

The attackers left chilling messages via office printers warning, “the company had been hacked”, and locked down critical infrastructure. The breach resulted in operational paralysis, millions in lost revenue, and total damages reaching the mid-seven-figure range. Reports indicate Einhaus paid a €200,000 ransom in Bitcoin to recover its data.

German cybercrime authorities have since identified three suspects. Although prosecutors seized the ransom-paid cryptocurrency, the funds were never returned, leaving Einhaus unable to achieve a full recovery.

The aftermath has been severe — staff numbers have plummeted from around 170 to just eight, while the company has sold off property and investments to offset losses. Three subsidiaries, including 24logistics, have filed for insolvency, and mobile phone repair operations have ceased entirely.

Einhaus Group now joins a growing list of high-profile businesses shuttered by ransomware incidents, including the UK’s Knights of Old transport firm, Stoli USA, and Finland’s Vastaamo. The case underscores the increasing frequency and financial devastation of cyberattacks, particularly ransomware, for businesses worldwide.
Read more »
SafePay ransomware
Data Breach Data Leak Ransomware attack Ridgefield Public Schools SafePay ransomware

Ridgefield Public Schools Faces 2-day Deadline After Hackers Threaten to Leak 90 GB of Stolen Data

 

Ridgefield Public Schools in Connecticut was hit by a ransomware attack on July 24, 2025, with the SafePay ransomware gang now threatening to release 90 GB of stolen data within two days if ransom demands aren't met.

The school district's cybersecurity tools detected attempts to deploy an encryption malware, prompting them to immediately take their computer network offline to investigate. While RPS confirmed that a ransom was demanded, they haven't revealed the amount or whether it was paid. The fact that SafePay has now published the school district on its leak site suggests negotiations have failed. 

Impact on school operations 

System restoration is ongoing, with RPS hoping teachers would regain email access this week. The district serves approximately 4,500 students across nine schools (six elementary, two middle schools, and one high school). They are investigating potential data breaches and offering advice on data protection in case sensitive personal information was stolen.

Broader education sector threats 

This attack is part of a concerning trend - 26 confirmed ransomware attacks have hit the US education sector in 2025 so far, with 49 more unconfirmed. Recent victims include School District 5 of Lexington and Richland Counties (1.3 TB stolen), Franklin Pierce Schools ($400,000 ransom demand), and Manassas Park City Schools where Social Security numbers and financial data may have been compromised.

In 2024 alone, nearly 3 million records were breached across 83 attacks on US educational institutions, highlighting the severe ongoing impact on schools, colleges, and universities. 

About SafePay ransomware group 

SafePay first emerged in November 2024 and has since conducted 278 tracked attacks, with 35 confirmed by victims. The group uses LockBit-based ransomware and employs a double-extortion technique - demanding payment both to decrypt systems and delete stolen data. RPS is the sixth educational institution confirmed to have fallen victim to SafePay, following attacks on Harrison County Board of Education and a Czech school this year.
Read more »
Subscribe to: Comments (Atom)