As February 2026 progresses, this week’s The Cyber Express Weekly Roundup examines a series of cybersecurity incidents and enforcement actions spanning Europe, Africa, Australia, and the United States.   The developments include a breach affecting the European Commission’s mobile management infrastructure, a ransomware attack disrupting Senegal’s national identity systems, a landmark financial penalty imposed on an Australian investment firm, and the sentencing of a fugitive linked to a multimillion-dollar cryptocurrency scam.  From suspected exploitation of zero-day vulnerabilities to prolonged breach detection failures and cross-border financial crime, these cases highlights the operational, legal, and systemic dimensions of modern cyber risk.  

The Cyber Express Weekly Roundup 

European Commission Mobile Infrastructure Breach Raises Supply Chain Questions 

The European Commission reported a cyberattack on its mobile device management (MDM) system on January 30, potentially exposing staff names and mobile numbers, though no devices were compromised, and the breach was contained within nine hours. Read more... 

Ransomware Disrupts Senegal’s National Identity Systems 

In West Africa, a major cyberattack hit Senegal’s Directorate of File Automation (DAF), halting identity card production and disrupting national ID, passport, and electoral services. While authorities insist no personal data was compromised, the ransomware group. The full extent of the breach is still under investigation. Read more... 

Australian Court Imposes Landmark Cybersecurity Penalty 

In Australia, FIIG Securities was fined AU$2.5 million for failing to maintain adequate cybersecurity protections, leading to a 2023 ransomware breach that exposed 385GB of client data, including IDs, bank details, and tax numbers. The firm must also pay AU$500,000 in legal costs and implement an independent compliance program. Read more... 

Crypto Investment Scam Leader Sentenced in Absentia 

U.S. authorities sentenced Daren Li in absentia to 20 years for a $73 million cryptocurrency scam targeting American victims. Li remains a fugitive after fleeing in December 2025. The Cambodia-based scheme used “pig butchering” tactics to lure victims to fake crypto platforms, laundering nearly $60 million through U.S. shell companies. Eight co-conspirators have pleaded guilty. The case was led by the U.S. Secret Service. Read more... 

India Brings AI-Generated Content Under Formal Regulation 

India has regulated AI-generated content under notification G.S.R. 120(E), effective February 20, 2026, defining “synthetically generated information” (SGI) as AI-created content that appears real, including deepfakes and voiceovers. Platforms must label AI content, embed metadata, remove unlawful content quickly, and verify user declarations. Read More... 

Weekly Takeaway 

Taken together, this weekly roundup highlights the expanding attack surface created by digital transformation, the persistence of ransomware threats to national infrastructure, and the intensifying regulatory scrutiny facing financial institutions.  From zero-day exploitation and supply chain risks to enforcement actions and transnational crypto fraud, organizations are confronting an environment where operational resilience, compliance, and proactive monitoring are no longer optional; they are foundational to trust and continuity in the digital economy. 

Australian fixed-income firm FIIG Securities has been fined AU$2.5 million after the Federal Court found it failed to adequately protect client data from cybersecurity threats over a period exceeding four years. The penalty follows a major FIIG cyberattack in 2023 that resulted in the theft and exposure of highly sensitive personal and financial information belonging to thousands of clients.  It is the first time the Federal Court has imposed civil penalties for cybersecurity failures under the general obligations of an Australian Financial Services (AFS) license.   In addition to the fine, the court ordered FIIG Securities to pay AU$500,000 toward the Australian Securities and Investments Commission’s (ASIC) enforcement costs. FIIG must also implement a compliance program, including the engagement of an independent expert to ensure its cybersecurity and cyber resilience systems are reasonably managed going forward. 

FIIG Cyberattack Exposed Sensitive Client Data After Years of Security Gaps 

The enforcement action stems from a ransomware attack that occurred in 2023. ASIC alleged that between March 2019 and June 2023, FIIG Securities failed to implement adequate cybersecurity measures, leaving its systems vulnerable to intrusion. On May 19, 2023, a hacker gained access to FIIG’s IT network and remained undetected for nearly three weeks.  During that time, approximately 385 gigabytes of confidential data were exfiltrated. The stolen data included names, addresses, dates of birth, driver’s licences, passports, bank account details, tax file numbers, and other sensitive information. FIIG later notified around 18,000 clients that their personal data may have been compromised as a result of the FIIG cyberattack.  Alarmingly, FIIG Securities did not discover the breach on its own. The company became aware of the incident only after being contacted by the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) on June 2. Despite receiving this warning, FIIG did not launch a formal internal investigation until six days later.  FIIG admitted it had failed to comply with its AFS licence obligations and acknowledged that adequate cybersecurity controls would have enabled earlier detection and response. The firm also conceded that adherence to its own policies and procedures could have prevented much of the client information from being downloaded. 

Regulatory Action Against FIIG Securities Sets Precedent for Cybersecurity Enforcement 

ASIC Deputy Chair Sarah Court said the case highlights the growing risks posed by cyber threats and the consequences of inadequate controls. “Cyber-attacks and data breaches are escalating in both scale and sophistication, and inadequate controls put clients and companies at real risk,” she said. “ASIC expects financial services licensees to be on the front foot every day to protect their clients. FIIG wasn’t – and they put thousands of clients at risk.”  ASIC Chair Joe Longo described the matter as a broader warning for Australian businesses. “This matter should serve as a wake-up call to all companies on the dangers of neglecting cybersecurity systems,” he said, emphasizing that cybersecurity is not a “set and forget” issue but one that requires continuous monitoring and improvement.  ASIC alleged that FIIG Securities failed to implement basic cybersecurity protection, including properly configured firewalls, regular patching of software and operating systems, mandatory cybersecurity training for staff, and sufficient allocation of financial and human resources to manage cyber risk.  Additional deficiencies cited by ASIC included the absence of an up-to-date incident response plan, ineffective privileged access management, lack of regular vulnerability scanning, failure to deploy endpoint detection and response tools, inadequate use of multi-factor authentication, and a poorly configured Security Information and Event Management (SIEM) system. 

Lessons From the FIIG Cyberattack for Australia’s Financial Sector 

Cybersecurity experts have pointed out that the significance of the FIIG cyberattack lies not only in the breach itself but in the prolonged failure to implement reasonable protections. Annie Haggar, Partner and Head of Cybersecurity at Norton Rose Fulbright Australia, noted in a LinkedIn post that ASIC’s case provides clarity on what regulators consider “adequate” cybersecurity. Key factors include the nature of the business, the sensitivity of stored data, the value of assets under management, and the potential impact of a successful attack.  The attack on FIIG Securities was later claimed by the ALPHV/BlackCat ransomware group, which stated on the dark web that it had stolen approximately 385GB of data from FIIG’s main server. The group warned the company that it had three days to make contact regarding the consequences of what it described as a failure by FIIG’s IT department.  According to FBI and Center for Internet Security reports, the ALPHV/BlackCat group gains initial access using compromised credentials, deploys PowerShell scripts and Cobalt Strike to disable security features, and uses malicious Group Policy Objects to spread ransomware across networks.  The breach was discovered after an employee reported being locked out of their email account. Further investigation revealed that files had been encrypted and backups wiped. While FIIG managed to restore some systems, other data could not be recovered. 

The recent Senegal cyberattack on the Directorate of File Automation (DAF) has done more than disrupt government services. It has exposed how vulnerable the country’s most sensitive data systems really are, and why cybersecurity can no longer be treated as a technical issue handled quietly in the background. DAF, the government agency responsible for managing national ID cards, passports, biometric records, and electoral data, was forced to temporarily shut down operations after detecting a cyber incident. For millions of Senegalese citizens, this means delays in accessing essential identity services. For the country, it raises far bigger concerns about data security and national trust.

Senegal Cyberattack Brings Identity Services to a Standstill

In an official public notice, DAF confirmed that the production of national identity cards had been suspended following the cyberattack. Authorities assured citizens that personal data had not been compromised and that systems were being restored. However, as days passed and the DAF website remained offline, doubts began to grow. A Senegal cyberattack affecting such a critical agency is not something that can be brushed off quickly, especially when biometric and identity data are involved. [caption id="attachment_109392" align="aligncenter" width="500"] Image Source: X[/caption]

Hackers Claim Theft of Massive Biometric Data

The situation escalated when a ransomware group calling itself The Green Blood Group claimed responsibility for the attack. The group says it stole 139 terabytes of data, including citizen records, biometric information, and immigration documents. To back up its claims, the hackers released data samples on the dark web. They also shared an internal email from IRIS Corporation Berhad, a Malaysian company working with Senegal on its digital national ID system. In the email, a senior IRIS executive warned that two DAF servers had been breached and that card personalization data may have been accessed. Emergency steps were taken, including cutting network connections and shutting access to external offices. Even if authorities insist that data integrity remains intact, the scale of the alleged breach makes the Senegal cyberattack impossible to ignore.

Implications of the Senegal Cyberattack

DAF is not just another government office. It manages the digital identities of Senegalese citizens. Any compromise—real or suspected—creates long-term risks, from identity fraud to misuse of biometric data. What makes this incident more worrying is that it is not the first major breach. Just months ago, Senegal’s tax authority also suffered a cyberattack. Together, these incidents point to a larger problem: critical systems are being targeted, and attackers are finding ways in. Cybercrime groups are no longer experimenting in Africa. They are operating with confidence, speed, and clear intent. The Green Blood Group, which appeared only recently, has reportedly targeted just two countries so far—Senegal and Egypt. That alone should be taken seriously.

Disputes, Outsourcing, and Cybersecurity Blind Spots

The cyberattack also comes during a payment dispute between the Senegalese government and IRIS Corporation. While no official link has been confirmed, the situation highlights a key issue: when governments rely heavily on third-party vendors, cybersecurity responsibility can become blurred. The lesson from this Senegal cyberattack is simple and urgent. Senegal needs a dedicated National Cybersecurity Agency, along with a central team to monitor, investigate, and respond to cyber incidents across government institutions. Cyberattacks in Africa are no longer rare or unexpected. They are happening regularly, and they are hitting the most sensitive systems. Alongside better technology, organizations must focus on insider threats, staff awareness, and leadership accountability. If sensitive data from this attack is eventually leaked, the damage will be permanent. Senegal still has time to act—but only if this warning is taken seriously.

Singapore has launched its largest-ever coordinated cyber defense operation following a highly targeted cyberattack on telecommunications that affected all four of the country’s major telecommunications operators.   The cyberattack in Singapore was attributed to the advanced threat actor UNC3886, according to Minister for Digital Development and Information and Minister-in-charge of Cybersecurity and Smart Nation Group, Josephine Teo. She disclosed the details on Feb. 9 while speaking at an engagement event for cyber defenders involved in the national response effort, codenamed Operation Cyber Guardian.  Teo confirmed that the UNC3886 cyberattack in Singapore targeted M1, Singtel, StarHub, and Simba.

Also read: ‘UNC3886 is Attacking Our Critical Infrastructure Right Now’: Singapore’s National Security Lawmaker

Decoding the UNC3886 Cyberattack in Singapore 

Once suspicious activity was detected, the affected operators immediately alerted the Infocomm Media Development Authority (IMDA) and the Cyber Security Agency of Singapore (CSA). CSA, IMDA, and several other government bodies then launched Operation Cyber Guardian to contain the breach.   The operation involved more than 100 cyber defenders from six government agencies, including CSA, IMDA, the Singapore Armed Forces’ Digital and Intelligence Service, the Centre for Strategic Infocomm Technologies, the Internal Security Department, and GovTech, all working closely with the telcos.  Teo said the response has, for now, managed to limit the attackers’ activities. Although the attackers accessed a small number of critical systems in one instance, they were unable to disrupt services or move deeper into the telco networks. “There is also no evidence thus far to suggest that the attackers were able to access or steal sensitive customer data,” she said. 

UNC3886 Cyberattack Posed Severe Risks to Essential Services 

Despite the containment, Teo warned against complacency. She stressed that the cyberattack in Singapore highlighted the presence of persistent threat actors capable of targeting critical infrastructure. She added that sectors such as power, water, and transport could also face similar threats and urged private-sector operators to remain vigilant.  The government, Teo said, will continue to work closely with critical infrastructure operators through cybersecurity exercises and the sharing of classified threat intelligence to enable early detection and faster response. “But even as we try our best to prevent and detect cyber-attacks, we may not always be able to stop them in time,” she said. “All of us must also be prepared for the threat of disruption.”  The UNC3886 operation was first revealed publicly in July 2025 by Minister for Home Affairs and Coordinating Minister for National Security K Shanmugam. Teo described the telecommunication cyberattack as a “potentially more serious threat” than previous cyber incidents faced by Singapore, noting that it targeted systems directly responsible for delivering essential public services.  “The consequences could have been more severe,” she said. “If the attack went far enough, it could have allowed the attacker to one day cut off telecoms or internet services.”  Investigations later revealed that the UNC3886 cyberattack in Singapore was a deliberate, targeted, and well-planned campaign aimed specifically at the telco sector. The attackers exploited a zero-day vulnerability, a previously unknown flaw for which no patch was available at the time. Teo likened this to “finding a new key that no one else had found, to unlock the doors to our telcos’ information system and networks.”  After gaining access, UNC3886 reportedly stole a small amount of technical data and used advanced techniques to evade detection and erase forensic traces. Beyond espionage, the group was assessed to have the capability to disrupt telecommunications and internet services, which could have had knock-on effects on banking, finance, transport, and medical services. 

Telcos and Government Strengthen Defenses Against Persistent Threats 

In a joint statement, M1, Singtel, StarHub, and Simba said they face a wide range of cyber threats, including distributed denial-of-service attacks, malware, phishing, and persistent campaigns.   To counter these risks, the telcos said they have implemented defense-in-depth measures and carried out prompt remediation when vulnerabilities are identified. They also emphasized close collaboration with government agencies and industry experts to strengthen resilience. “Protecting our critical infrastructure is a top priority. We will continue to keep pace with the evolving cyber threat landscape and update our measures accordingly,” the statement said.  UNC3886 is a China-linked cyber espionage actor classified as an Advanced Persistent Threat. The “UNC” label indicates that the group remains uncategorized. Cybersecurity researchers have observed that UNC3886 frequently targets network devices and virtualization technologies, often exploiting zero-day vulnerabilities. The group primarily focuses on defense, technology, and telecommunication organizations in the United States and Asia. 

As the first week of February 2026 concludes, The Cyber Express weekly roundup examines the developments shaping today’s global cybersecurity landscape. Over the past several days, governments, technology companies, and digital platforms have confronted a wave of cyber incidents ranging from disruptive attacks on public infrastructure to large-scale data exposures and intensifying regulatory scrutiny of artificial intelligence systems.  This week’s cybersecurity reporting reflects a broader pattern: rapid digital expansion continues to outpace security maturity. High-profile breaches, misconfigured cloud environments, and powerful AI tools are creating both defensive opportunities and significant new risks.  

The Cyber Express Weekly Roundup 

Cyberattack Disrupts Spain’s Ministry of Science Operations 

Spain’s Ministry of Science, Innovation, and Universities confirmed that a cyberattack forced a partial shutdown of its IT systems, disrupting digital services relied upon by researchers, universities, students, and businesses nationwide. Initially described as a technical incident, the disruption was later acknowledged as a cybersecurity event that required the temporary closure of the ministry’s electronic headquarters. Read more.. 

OpenAI Expands Controlled Access to Advanced Cyber Defense Models 

OpenAI announced the launch of Trusted Access for Cyber, a new initiative designed to strengthen defensive cybersecurity capabilities while limiting the potential misuse of highly capable AI systems. The program provides vetted security professionals with controlled access to advanced models such as GPT-5.3-Codex, which OpenAI identifies as its most cyber-capable reasoning model to date. Read more.. 

French Authorities Escalate Investigations Into X and Grok AI 

French police raided offices belonging to the social media platform X as European investigations expanded into alleged abuses involving its Grok AI chatbot. Authorities are examining claims that Grok generated nonconsensual sexual deepfakes, child sexual abuse material (CSAM), and content denying crimes against humanity, including Holocaust denial. Read more.. 

AI-Generated Platform Moltbook Exposes Millions of Credentials 

Security researchers disclosed that Moltbook, a viral social network built entirely using AI-generated code, exposed 1.5 million API authentication tokens, 35,000 user email addresses, and thousands of private messages due to a database misconfiguration. Wiz Security identified the issue after discovering an exposed Supabase API key embedded in client-side JavaScript, which granted unrestricted access to the platform’s production database. Read more.. 

Substack Discloses Breach Months After Initial Compromise 

Substack revealed that attackers accessed user email addresses, phone numbers, and internal metadata in October 2025, though the breach went undetected until February 3, 2026. CEO Chris Best notified affected users, stating, “I’m incredibly sorry this happened. We take our responsibility to protect your data and your privacy seriously, and we came up short here.” Read more.. 

Weekly Takeaway 

This Cyber Express weekly roundup highlights a clear takeaway for the global cybersecurity community: digital expansion without equivalent security investment increases organizational and systemic risk. AI-built platforms, advanced security tooling, and large-scale public-sector systems are being deployed rapidly, often without adequate access controls, monitoring, or testing. As recent incidents show, these gaps lead to data exposure, prolonged breach detection, and service disruption. To reduce risk, organizations must embed security controls, clear ownership, and continuous monitoring into system design and daily operations, rather than relying on post-incident fixes or policy statements.

Rome’s Sapienza University, Europe’s largest university by number of on-campus students, is grappling with a major IT outage following a cyberattack on La Sapienza that disrupted digital services across the institution. The La Sapienza cyberattack has forced the university to take critical systems offline as officials work to contain the incident and restore operations.  The university publicly acknowledged the cyberattack on La Sapienza earlier this week through a social media statement, confirming that its IT infrastructure “has been the target of a cyberattack.” As an immediate response, Sapienza ordered a shutdown of its network systems “to ensure the integrity and security of data,” a decision that triggered widespread operational disruptions. 

Updates to the La Sapienza Cyberattack

Sapienza University of Rome enrolls more than 112,500 students, making the impact of the outage particularly significant. Following the incident, university officials notified Italian authorities and established a dedicated technical task force to coordinate remediation and recovery efforts. As of the latest updates, the university’s official website remains offline, and recovery status updates have been communicated primarily through social media channels, including Instagram. To mitigate disruption to students, the university announced the creation of temporary in-person “infopoints.” These locations are intended to provide access to information normally available through digital systems and databases that remain unavailable due to the cyberattack on La Sapienza.

Cyberattack on La Sapienza Linked to BabLock Malware 

While the university has not publicly confirmed the technical nature of the incident or identified those responsible, Italian newspaper Corriere Della Sera reports that the La Sapienza cyberattack bears the hallmarks of a ransomware operation. According to the outlet, the attack is allegedly linked to a previously unknown, pro-Russian threat actor known as “Femwar02.”  The reporting suggests the attackers used BabLock malware, also referred to as Rorschach, based on observed malware characteristics and operational behavior. BabLock malware first emerged in 2023 and has attracted researchers' attention for its unusually fast encryption speeds and extensive customization capabilities.  Sources cited by Corriere della Sera claim that the systems at Sapienza were encrypted and that a ransom demand exists. However, university staff reportedly have not opened the ransom note, as doing so would trigger a 72-hour countdown timer. As a result, the ransom amount has not been disclosed. This tactic, designed to pressure victims into rapid negotiations, is increasingly common in ransomware campaigns using BabLock malware. 

Investigation and Recovery Efforts Continue 

In response to the cyberattack on La Sapienza, university technicians are working alongside Italy’s national Computer Security Incident Response Team (CSIRT), specialists from the Agenzia per la Cybersicurezza Nazionale (ACN), and the Polizia Postale. Their primary objective is to restore systems using backups, which, according to reports, were not affected by the attack.  Italy’s national cybersecurity agency has confirmed that it is investigating the incident. However, neither Sapienza University nor Italian authorities have publicly verified whether the attack involved ransomware or whether any data was exfiltrated. This distinction is critical: encryption-only incidents primarily cause operational disruption, while confirmed data theft can trigger additional legal and regulatory obligations under the EU’s General Data Protection Regulation (GDPR). 

Data accessed in October 2025 went undetected until February, affecting subscribers across the newsletter platform with no evidence of misuse yet identified.

Substack disclosed a security breach that exposed user email addresses, phone numbers and internal metadata to unauthorized third parties, revealing the incident occurred four months before the company detected the compromise. CEO Chris Best notified users Tuesday that attackers accessed the data in October 2025, though Substack only identified evidence of the breach on February 3.

"I'm incredibly sorry this happened. We take our responsibility to protect your data and your privacy seriously, and we came up short here," Best wrote in the notification sent to affected users.

The breach allowed an unauthorized third party to access limited user data without permission through a vulnerability in Substack's systems. The company confirmed that credit card numbers, passwords and financial information were not accessed during the incident, limiting exposure to contact information and unspecified internal metadata.

Substack's Breach Detection Delay a Concern

The four-month detection gap raises questions about Substack's security monitoring capabilities and incident response procedures. Modern security frameworks typically emphasize rapid threat detection, with leading organizations aiming to identify breaches within days or hours rather than months. The extended dwell time—the period attackers maintained access before detection—gave threat actors ample opportunity to exfiltrate data undetected.

Substack claims it has fixed the vulnerability that enabled the breach but provided no technical details about the nature of the flaw or how attackers exploited it. The company stated it is conducting a full investigation and taking steps to improve systems and processes to prevent future incidents.

Best urged users to exercise caution with emails or text messages they receive, warning that exposed contact information could enable phishing attacks or social engineering campaigns. While Substack claims no evidence of data misuse exists, the four-month gap between compromise and detection means attackers had significant time to leverage stolen information.

The notification's vague language about "other internal metadata" leaves users uncertain about the full scope of exposed information. Internal metadata could include account creation dates, IP addresses, subscription lists, payment history or other details that, when combined with email addresses and phone numbers, create comprehensive user profiles valuable to attackers.

Substack Breach Impact

Newsletter platforms like Substack represent attractive targets for threat actors because they aggregate contact information for engaged audiences across diverse topics. Compromised email lists enable targeted phishing campaigns, while phone numbers facilitate smishing attacks—phishing via text message—that many users find less suspicious than email-based attempts.

The breach affects Substack's reputation as the platform competes for writers and subscribers against established players and emerging alternatives. Trust forms the foundation of newsletter platforms, where creators depend on reliable infrastructure to maintain relationships with paying subscribers.

Substack has not disclosed how many users were affected, whether the company will offer identity protection services, or if it has notified law enforcement about the breach. The company also has not confirmed whether it will face regulatory scrutiny under data protection laws in jurisdictions where affected users reside.

Users should remain vigilant for suspicious communications, enable two-factor authentication where available, and monitor accounts for unauthorized activity following the disclosure.

Also read: EU Data Breach Notifications Surge as GDPR Changes Loom

Mountain View’s decision to shut down its automated license plate reader program is a reminder of an uncomfortable truth that surveillance technology is only as trustworthy as the systems—and vendors—behind it. This week, Police Chief Mike Canfield announced that all Flock Safety ALPR cameras in Mountain View have been turned off, effective immediately. The move pauses the city’s pilot program until the City Council reviews its future at a February 24 meeting. The decision comes after the police department discovered that hundreds of unauthorized law enforcement agencies had been able to search Mountain View’s license plate camera data for more than a year—without the city’s awareness. For a tool that was sold to the public as tightly controlled and privacy-focused, this is a serious breach of trust.

Flock Safety ALPR Cameras Shut Down Over Data Access Failures

In his message to the community, Chief Canfield made it clear that while the Flock Safety ALPR pilot program had shown value in solving crimes, he no longer has confidence in the vendor. “I personally no longer have confidence in this particular vendor,” Canfield wrote, citing failures in transparency and access control. The most troubling issue, according to the police chief, was the discovery that out-of-state agencies had been able to search Mountain View’s license plate data—something that should never have been possible under state law or city policy. This wasn’t a minor technical glitch. It was a breakdown in oversight, accountability, and vendor responsibility.

Automated License Plate Readers Under Growing National Scrutiny

Automatic license plate readers, or ALPR surveillance cameras, have become one of the most controversial policing technologies in the United States. These cameras capture images of passing vehicles, including license plate numbers, make, and model. The information is stored and cross-checked with databases to flag stolen cars or vehicles tied to investigations. Supporters argue that ALPRs help law enforcement respond faster and solve crimes more efficiently. But critics have long warned that ALPR systems can easily become tools of mass surveillance—especially when data-sharing controls are weak. That concern has intensified under the Trump administration, as reports have emerged of license plate cameras being used for immigration enforcement and even reproductive healthcare-related investigations. Mountain View’s case shows exactly why the debate isn’t going away.

Mountain View Police Violated Its Own ALPR Policies

According to disclosures made this week, the Mountain View Police Department unintentionally violated its own policies by allowing statewide and national access to its ALPR data. Chief Canfield admitted that “statewide lookup” had been enabled since the program began 17 months ago, meaning agencies across California could search Mountain View’s license plate records without prior authorization. Even more alarming, “national lookup” was reportedly turned on for three months in 2024, allowing agencies across the country to access the city’s data. State law prohibits sharing ALPR information with out-of-state agencies, especially for immigration enforcement purposes. So how did it happen? Canfield was blunt: “Why wasn’t it caught sooner? I couldn’t tell you.” That answer won’t reassure residents who were promised strict safeguards.

Community Trust Matters More Than Surveillance Tools

Chief Canfield’s message repeatedly emphasized one point: technology cannot replace trust. “Community trust is more important than any individual tool,” he wrote. That statement deserves attention. Police departments across the country have adopted surveillance systems with the promise of safety, only to discover later that the systems operate with far less control than advertised. When a vendor fails to disclose access loopholes—or when law enforcement fails to detect them—the public pays the price. Canfield acknowledged residents’ anger and frustration, offering an apology and stating that transparency is essential for community policing. It’s a rare moment of accountability in a space where surveillance expansion often happens quietly.

Flock Safety Faces Questions About Transparency and Oversight

Mountain View’s ALPR program began in May 2024, when the City Council approved a contract with Flock Safety, a surveillance technology company. Since August 2024, the city installed cameras at major entry and exit points. By January 2026, Mountain View had 30 Flock cameras operating. Now, the entire program is paused. Flock spokesperson Paris Lewbel said the company would address the concerns directly with the police chief, but the damage may already be done. This incident raises a bigger question: should private companies be trusted to manage sensitive surveillance infrastructure in the first place?

What Happens Next for the Flock Safety ALPR Program?

The City Council will now decide whether Mountain View continues with the Flock contract, modifies the program, or shuts it down permanently. But the broader lesson is already clear. ALPR surveillance cameras may offer law enforcement real investigative value, but without airtight safeguards, they risk becoming tools of unchecked monitoring. Mountain View’s shutdown is not just a local story—it’s part of a national reckoning over how much surveillance is too much, and whether public safety can ever justify the loss of privacy without full accountability.

Lakelands Public Health has confirmed that it is actively responding to a cyberattack discovered on January 29, 2026, which affected some of its internal systems. The organization is sharing information about the Lakelands Public Health cyberattack incident proactively to maintain transparency and public trust.  Immediately after detecting the breach, Lakelands Public Health implemented its incident response protocols, secured affected systems, and engaged a leading cybersecurity firm to support the investigation, containment, and recovery efforts. Experts are working closely with the organization to ensure that all systems are restored safely and efficiently.  While restoration efforts are underway, some programs and services may experience temporary disruptions. The organization has committed to directly contacting any individuals or partners affected by interruptions. 

Critical Public Health Data Remains Secure 

Initial investigations indicate that systems managing sensitive public health information, including infectious disease data, immunization records, and sexual health information, were not impacted by the Lakelands Public Health cyberattack. Lakelands Public Health has emphasized that protecting personal information remains a top priority as it continues essential public health operations.  Dr. Thomas Piggott, Medical Officer of Health and Chief Executive Officer of Lakelands Public Health, said, 

“Our priority response to this event is protecting the information entrusted to us and maintaining continuity of critical public health services. By taking a proactive approach and engaging specialized expertise, we are working diligently to restore systems and keep our community informed.” 

The organization serves Peterborough city and county, Northumberland and Haliburton counties, Kawartha Lakes, and the First Nations communities of Curve Lake and Alderville. The cyberattack prompted a review of all systems that could potentially be affected, ensuring that any vulnerabilities are mitigated. 

Lakelands Public Health Cyberattack Investigation

Lakelands Public Health has noted that the investigation into the cyberattack is ongoing. While no personal or health information appears to have been compromised, the organization has committed to alerting affected parties should any issues arise as the review continues.  Officials have advised that during the restoration period, certain programs and services may remain temporarily offline, and affected individuals will receive direct notifications.  The health unit is also closely monitoring its IT infrastructure for unusual activity, and administrators are implementing additional safeguards, including enhanced network monitoring and access controls. These measures are aimed at minimizing risk and ensuring the integrity of public health data during the recovery process. 

Proactive Measures Strengthen Cybersecurity for Lakelands Public Health 

Residents, partners, and staff are encouraged to remain patient and vigilant as Lakelands Public Health continues to prioritize security, transparency, and the continuity of services. Updates regarding the cyberattack and ongoing recovery efforts are available at LakelandsPH.ca.  In response to the incident, Lakelands Public Health has reinforced its commitment to cybersecurity. By engaging specialized expertise and deploying additional monitoring and response tools, the organization aims to reduce the risk of future incidents.  Dr. Piggott reinforced the importance of public confidence, stating that the organization will continue to communicate openly and ensure that all necessary steps are taken to protect sensitive information while maintaining public health services without interruption. 

CrossCurve bridge, formerly known as EYWA, has suffered a major cyberattack after attackers exploited a vulnerability in its smart contract infrastructure, draining approximately $3 million across multiple blockchain networks.   The CrossCurve team confirmed the incident on Sunday, stating that its bridge infrastructure was “currently under attack” and warning users to immediately stop interacting with the protocol.   “Our bridge is currently under attack, involving the exploitation of a vulnerability in one of the smart contracts used,” CrossCurve said in a post on X. “Please pause all interactions with CrossCurve while the investigation is ongoing.” 

Spoofed Cross-Chain Messages Used to Bypass Validation Checks 

Blockchain security account Defimon Alerts identified the root cause of the cyberattack as a gateway validation bypass within CrossCurve’s ReceiverAxelar contract. According to the analysis, the contract lacked a critical validation check, allowing any user to call the expressExecute function with a spoofed cross-chain message.  [caption id="attachment_109109" align="alignnone" width="720"] CrossCurve Exploit Details (Source: Defimon Alerts on X)[/caption] By exploiting this flaw, attackers were able to bypass the intended gateway validation logic and trigger unauthorized token unlocks on the protocol’s PortalV2 contract. As a result, funds were drained without proper authorization. The exploit impacted the CrossCurve bridge across multiple networks, highlighting the risks associated with cross-chain messaging systems.  Data from Arkham Intelligence, shared by Defimon Alerts, shows that the PortalV2 contract’s balance dropped from roughly $3 million to nearly zero around January 31. Transaction data indicates that the exploit unfolded across several chains, rather than being confined to a single network. 

CrossCurve Cyberattack Revives Concerns Over Bridge Security

CrossCurve, previously branded as EYWA, operates a cross-chain decentralized exchange and liquidity protocol developed in partnership with Curve Finance. The protocol relies on what it calls a “Consensus Bridge,” which routes transactions through multiple independent validation mechanisms, including Axelar, LayerZero, and the EYWA Oracle Network. The design was intended to reduce reliance on any single system and minimize points of failure.  In its documentation, CrossCurve had highlighted this architecture as a key security advantage, stating that “the probability of several crosschain protocols getting hacked at the same time is near zero.” The recent cyberattack, however, demonstrated that a vulnerability in a single smart contract can still compromise the broader system, regardless of the number of validation layers involved.  The project has prominent backing in the decentralized finance ecosystem. Curve Finance founder Michael Egorov became an investor in the protocol in September 2023, and CrossCurve later announced that it had raised $7 million from venture capital firms.  Following the exploit, Curve Finance issued a warning to users with exposure to EYWA-related pools. “Users who have allocated votes to Eywa-related pools may wish to review their positions and consider removing those votes,” Curve Finance wrote on X. “We continue to encourage all participants to remain vigilant and make risk-aware decisions when interacting with third-party projects.”  Security researchers compared the CrossCurve bridge exploit to earlier incidents in the sector. The vulnerability bears similarities to the 2022 Nomad bridge hack, in which attackers drained approximately $190 million after discovering a flawed validation mechanism. That exploit escalated rapidly, with hundreds of wallet addresses copying the attack once it became public. 

As January 2026 comes to a close, The Cyber Express takes a comprehensive look at the events defining the global cybersecurity landscape. Over the past week, organizations worldwide faced high-profile cyberattacks, emerging threats in AI and ad fraud, critical software vulnerabilities, and intensifying regulatory scrutiny affecting both public and private sectors. This week’s coverage highlights significant attacks on Russian and U.S. companies, the discovery of advanced post-exploitation frameworks, trends in EU data breach reporting, and actionable guidance for brands to enhance privacy, security, and compliance in an increasingly complex digital ecosystem.

The Cyber Express Weekly Roundup 

Cyberattack Hits Russian Security Firm Delta 

On January 26, 2026, Delta, a Russian alarm and vehicle security provider, suffered a major cyberattack, disrupting alarms, vehicle systems, and company communications for tens of thousands of customers. While no confirmed customer data breach occurred, an unverified leak circulated online. Read more... 

Ad Fraud and Data Privacy: Brands Must Act Now 

Ad fraud is escalating, costing the digital advertising industry billions and eroding consumer trust. Experts like Dhiraj Gupta of mFilterIt emphasize that brands can no longer rely on platform-reported metrics alone. Independent verification, real-time audits, and continuous monitoring of data flows are now essential to ensure privacy, enforce purpose limitations, and maintain accountability across complex advertising ecosystems. Read more… 

Ivanti Patches Critical Mobile Manager Zero-Days 

Ivanti released emergency fixes for two critical zero-day code injection vulnerabilities (CVE-2026-1281 and CVE-2026-1340) in Endpoint Manager Mobile. These flaws allow attackers to execute arbitrary code, access sensitive device and user data, and track locations. CISA added CVE-2026-1281 to its KEV catalog with a two-day remediation deadline for federal agencies. Read more... 

Cyble Discovers ShadowHS, a Stealthy Linux Post-Exploitation Framework 

Cyble Research & Intelligence Labs uncovered ShadowHS, a fileless, in-memory Linux framework providing attackers with long-term, operator-controlled access. ShadowHS uses AES-encrypted payloads and stealthy memory execution to evade traditional antivirus software, enabling credential theft, lateral movement, privilege escalation, cryptomining, and covert data exfiltration. Read more... 

EU Data Breach Notifications Rise Amid GDPR Reform Talks 

Data breach notifications in the EU surged 22% over the past year, averaging over 400 per day. GDPR fines remained high at approximately €1.2 billion in 2025. Discussions on the Digital Omnibus legislation highlight a need to balance efficiency in reporting with protecting fundamental privacy rights amid NIS2, DORA, and ongoing cybersecurity threats. Read more... 

New Cyberattacks Target U.S. Companies 

Several U.S. companies, including Bumble, Panera, Match Group, and CrunchBase, faced phishing and vishing attacks against employees. Bumble reported brief unauthorized access to a small portion of its network, while other firms experienced limited exposure. The ShinyHunters hacking group claims responsibility and has issued extortion demands, emphasizing social engineering as a growing threat to high-profile organizations. Read more... 

Weekly Takeaway 

The last week of January 2026 stresses that cybersecurity is no longer just a technical concern. From attacks on critical infrastructure in Russia to post-exploitation Linux frameworks, ad fraud, and regulatory scrutiny in the EU, organizations must combine technology, governance, and proactive monitoring to protect data, trust, and operations.  

EU data breach notifications have surged 22% in the last year and GDPR fines remain high, according to a new report from law firm DLA Piper. The “sustained high level of data enforcement activity across Europe” noted in the report occurs amid the EU Digital Omnibus legislative process that critics say could substantially weaken the GDPR’s data privacy provisions. Given the high number of data breach notifications, the report noted, “It is perhaps not surprising that the EU Digital Omnibus is proposing to raise the bar for incident notification to regulators, to capture only breaches which are likely to cause a high risk to the rights and freedoms of data subjects. Supervisory authorities have been inundated with notifications and understandably want to stem the flood so they can focus on the genuinely serious incidents.” The success of the Digital Omnibus process may depend on how EU legislative bodies address the concerns of data privacy advocates, said the report, whose publication coincided with Data Privacy Week. “If simplification is perceived as undermining fundamental rights, the outcome could be legal uncertainty, increased litigation, and political backlash – the very opposite of the simplification and clarity businesses seek,” the law firm said. “The Omnibus therefore faces a delicate balancing act: simplifying rules without eroding trust or core rights. It is expected that the proposals will change as they are debated among the European Commission, the European Parliament, and the EU Council during the trialogue process in 2026.”

EU Data Breach Notifications Top 400 Per Day

The report found that for the first time since May 25, 2018 – the GDPR’s implementation date – average data breach notifications per day topped 400, “breaking the plateauing trend we have seen in recent years.” Between January 28, 2025 and January 27, 2026, the average number of breach notifications per day increased from 363 to 443, a jump of 22%. “It is not clear what is driving this uptick in breach notifications, but the geo-political landscape driving more cyber-attacks, as well as the focus on cyber incidents in the media and the raft of new laws including incident notification requirements ... may be focusing minds on breach notifications,” the law firm said. Laws and regulations that may be driving the increase in EU data breach notifications include NIS2, the Network and Information Security Directive, and DORA, the Digital Operation Resilience Act, the firm said.

GDPR Fines Reverse Downward Trend

GDPR fines remained high, with European supervisory authorities issuing fines totaling approximately EUR1.2 billion in 2025, in line with 2024 levels. “While there is no year-on-year increase in aggregate GDPR fines, this figure marks a reversal of last year’s downward trend and underscores that European data protection supervisory authorities remain willing to impose substantial monetary penalties,” the law firm said. The aggregate total fines since the implementation of GDPR across the jurisdictions surveyed stands at EUR7.1 billion as of January 27, 2026 – EUR4.04 billion of which were issued by the Irish Data Protection Commission. The Irish Data Protection Commission also imposed the highest fine in 2025, a EUR530 million fine in April 2025 against TikTok for violating GDPR's international data transfer restrictions. Fines resulting from breaches of the GDPR integrity and confidentiality principle, also known as the security principle, continue to be prominent, the report said. “Supply chain security and compliance is increasingly attracting the attention of data protection supervisory authorities,” the law firm said. “Supervisory authorities expect robust security controls to prevent personal data breaches and processors, as well as controllers, are directly liable for breaches of the security principle resulting in several fines being imposed directly on processors this year.”

Non-Material Damage Allowed Under GDPR Compensation Claims

Follow-on GDPR compensation claims also saw some notable developments, the law firm found. “This year has brought several notable rulings from the Court of Justice of the European Union (CJEU) and European courts on GDPR-related compensation claims – particularly regarding the criteria for pursuing claims for non-material damage.” One notable CJEU ruling found that non-material damage referred to in Article 82(1) GDPR “can include negative feelings, such as fear or annoyance, provided the data subject can demonstrate that they are experiencing such feelings,” the report said. “This was a win for claimants. However, in the same decision, the CJEU ruled that the mere assertion of negative feelings is insufficient for compensation; national courts must assess evidence of such feelings and be satisfied that they arise from the breach of GDPR. This provides some comfort for defendants as theoretical distress is insufficient to sound in compensation.” Ross McKean, Chair of the DLA Piper UK Data, Privacy and Cybersecurity practice, said in a statement that “Most evident in this year's report is the validation that the cybersecurity threat landscape has reached an unprecedented level. ... Coupled with the slew of new cybersecurity laws impacting business, some of which impose personal liability on members of management bodies, our report underscores the urgency and need for organisations to optimise cyber defences and operational resilience.”

Nike has confirmed that it is investigating a potential cybersecurity incident after claims surfaced online that its internal data may have leaked by a cybercrime group. The same group, known for extortion-driven attacks against other companies, previously claimed the Nike cyberattack on its dark web site.  Nike acknowledged the situation of a potential cybersecurity incident, stating, “We always take consumer privacy and data security very seriously. We are investigating a potential cybersecurity incident and are actively assessing the situation.” The company has not yet disclosed whether the cyberattack on Nike involved customer, employee, or partner data. 

Hacker Group Claims the Nike Cyberattack

The allegations stem from a ransomware group known as World Leaks, which claimed on its website that it had published 1.4 terabytes of data allegedly tied to Nike’s business operations. The group did not specify what types of files or information were included in the purported leak.  The Cyber Express reached out to Nike for further details regarding the reported cyberattack on Nike. However, as of the time of writing, the company had not shared any additional updates or clarification about the incident or its potential impact.  World Leaks is an extortion-focused cybercrime group that steals corporate data to pressure victims into paying ransoms, threatening public disclosure if demands are not met. The group emerged in 2025 after rebranding from Hunters International, a ransomware gang active since 2023. Following increased law enforcement scrutiny, the group reportedly abandoned traditional file-encryption tactics and shifted entirely to data theft and extortion. It has since claimed hundreds of victims. 

Potential Partner Impact and Broader Industry Context 

It remains unclear whether the alleged Nike data breach affected information belonging to any of Nike’s major wholesale partners. The company works closely with large retailers such as Dick’s Sporting Goods, Macy’s, and JD Sports.  The reported cyberattack on Nike comes as data breaches continue to disrupt major corporations worldwide. High-profile cyber incidents in 2023 and 2024 affected companies, including MGM Resorts International, Clorox, and UnitedHealth Group. MGM disclosed losses of at least $100 million tied to its attack, while Clorox reported a decline of more than $350 million in quarterly net sales following its breach.  The incident also follows similar developments within the sportswear sector. TechCrunch recently reported that Under Armour launched an investigation after 72 million customer email addresses were posted online.  

Nike’s Business Challenges Amid Cybersecurity Concerns 

According to The Star, Nike has been working to regain its position as the world’s dominant sportswear brand after losing market share to smaller competitors. Against this backdrop, the emergence of a potential Nike cyberattack adds another layer of uncertainty. Despite the reports, Nike’s shares were flat as of late morning on Monday, indicating that investors may be waiting for verified details before reacting.  As investigations continue, it remains uncertain whether the alleged Nike data breach will be confirmed or what consequences may follow. Nike has stated only that it is actively assessing the situation, and further information is expected as the inquiry progresses and claims related to the cyberattack on Nike are independently evaluated.   This is an ongoing story, and The Cyber Express will be closely monitoring the situation. We will update this post once we have more information on the Nike cyberattack or any additional information from the company. 

The ShinyHunters and CL0P threat groups have returned with new claimed victims. ShinyHunters has resurfaced with a new onion-based data leak site, with the group publishing data allegedly stolen from three victims, with two apparently linked to recent vishing attacks targeting single sign-on (SSO) accounts at Okta, Microsoft and Google, which can lead to compromises of connected enterprise applications and services. In an email to The Cyber Express, a ShinyHunters spokesperson said “a lot more victims are to come from the new vishing campaign.” The CL0P ransomware group, meanwhile, has claimed 43 victims in recent days, its first victims since its exploitation of Oracle E-Business Suite vulnerabilities last year netted more than 100 victims. The group reportedly was targeting internet-facing Gladinet CentreStack file servers in its latest extortion campaign, but the threat group has posted no technical details to support the new claims.

ShinyHunters Returns

ShinyHunters has resurfaced following 2025 campaigns that saw breaches of PornHub and Salesforce environments and a “suspicious insider” at CrowdStrike. The group, which has also gone by Scattered LAPSUS$ Hunters, has claimed three new victims, all of whom have had confirmed breaches in recent weeks. One of the claimed victims is SoundCloud, which confirmed a breach in mid-December that the company said “consisted only of email addresses and information already visible on public SoundCloud profiles and affected approximately 20% of SoundCloud users.” Investment firm Betterment is another claimed victim with a recent confirmed breach. While it’s not clear if the incident is related to the ShinyHunters claims, the company reported a January 9 incident in which “an unauthorized individual gained access to certain Betterment systems through social engineering. This means the individual used identity impersonation and deception to gain access, rather than compromising our technical infrastructure. The unauthorized access involved third-party software platforms that Betterment uses to support our marketing and operations.” The third claimed victim is financial data firm Crunchbase, which confirmed a data exfiltration incident in a statement to SecurityWeek. ShinyHunters told The Cyber Express that only Crunchbase and Betterment are from the SSO vishing campaign. “We are releasing victims from many of our previous campaigns and ongoing campaigns onto our data leak site, not exclusively the SSO vishing campaign data thefts,” the spokesperson said. Meanwhile, a threat actor who goes by “LAPSUS-GROUP” has emerged recently on the BreachForums 5.0 cybercrime forum claiming data stolen from a Canadian retail SaaS company, but ShinyHunters told The Cyber Express that the actor is an “impersonator group” and has no connection to ShinyHunters.

CL0P Claims 43 New Victims

The Cl0p ransomware group appears to have launched a new extortion campaign, although it is not clear what vulnerabilities or services the group is targeting. The group listed 21 new victims last week, and then another 22 over the weekend. Alleged victims include a major hotel chain, an IT services company, a UK payment processing firm, a workforce management company, and a Canada-based mining company. In a note to clients today, threat intelligence company Cyble wrote, “At the time of reporting, Cl0p has not disclosed technical details, the volume or type of data allegedly exfiltrated, nor announced any ransom deadlines for these victims. No proof-of-compromise samples have been published. We continue to monitor the situation for further disclosures, validation of the victim listings, or escalation by the group.”

The fallout from the Manage My Health data breach is continuing, with the company warning that fraudsters may now be attempting to contact affected users by impersonating the online patient portal.  Manage My Health, which operates a widely used digital health platform in New Zealand, confirmed that most people impacted by the breach have now been notified. However, the organization cautioned that secondary criminal actors may be exploiting the situation by sending phishing or spam messages that appear to come from Manage My Health.  “We’re also aware that secondary actors may impersonate MMH and send spam or phishing emails to prompt engagement. These communications are not from MMH,” the company said in a statement. It added that it is investigating measures to limit this activity and has issued guidance to help users protect themselves.  The MMH cyberattack, which occurred late last year, involved unauthorized access to documents stored within a limited feature of the platform. Cyber criminals reportedly demanded thousands of dollars in ransom, threatening to release sensitive data on the dark web. If released, the information could have exposed the medical details of more than 120,000 New Zealanders. 

Information Accessed in the Manage My Health Data Breach 

According to Manage My Health, the cyberattack did not affect live GP clinical systems, prescriptions, appointment scheduling, secure messaging, or real-time medical records. Instead, the breach was confined to documents stored in the “My Health Documents” section of the platform.  These documents included files uploaded by users themselves, such as correspondence, reports, and test results, as well as certain clinical documents. The latter consisted of hospital discharge summaries and clinical letters related to care received in Northland Te Tai Tokerau.  Upon detecting unusual system activity, Manage My Health said it immediately secured the affected feature, blocked further unauthorized access, and activated its incident response plan. Independent cybersecurity specialists were engaged to investigate the incident and confirm its scope.  The company stated that the breach has since been contained and that testing has confirmed the vulnerability is no longer present. 

Notifications and Regulatory Response 

Manage My Health acknowledged that its initial response led to some individuals being notified prematurely. “When we first identified the breach, our priority was to promptly inform all potentially affected patients,” the organization said, noting that this cautious approach resulted in some people being contacted even though they were later found not to be impacted.  Following forensic investigations, those individuals were subsequently informed that their data had not been affected. Users can confirm their status by logging into the Manage My Health web application, where a green “No Impact” banner indicates no involvement in the incident.  The company said notification efforts are ongoing due to the complexity of coordinating communications across patient groups, authorities, and data controllers, while ensuring compliance with the New Zealand Privacy Act.  The Manage My Health data breach has also triggered regulatory scrutiny. The Office of the Privacy Commissioner (OPC) has announced an inquiry into the privacy aspects of the incident. Manage My Health confirmed it is working closely with the OPC, as well as Health New Zealand | Te Whatu Ora, the National Cyber Security Centre, and the New Zealand Police. 

Legal Action and Monitoring Efforts 

As part of its response to the MMH cyberattack, Manage My Health sought and was granted an interim injunction from the High Court. The injunction prohibits any third party from accessing, publishing, or disseminating the impacted data.  The organization said it is actively monitoring known data leak websites and is prepared to issue takedown notices immediately if any information appears online.  Additional security measures taken include remediating compromised account credentials, temporarily disabling the Health Documents module, and implementing continuous monitoring while broader security upgrades are rolled out. An independent forensic investigation remains ongoing, with the company declining to comment on specific technical findings at this stage. 

Guidance for Users 

Manage My Health has reiterated that it will never ask users for passwords or one-time security codes. It has urged caution when receiving unexpected or urgent messages claiming to be from the company.  Anyone contacted by individuals claiming to possess their health data is advised not to engage and to report the incident to New Zealand Police via 105, or 111 in an emergency, and notify Manage My Health support.  To assist those concerned about identity misuse, the company has partnered with IDCARE, which provides free and confidential cyber and identity support across Australia and New Zealand.  “We take the privacy of our clients and staff very seriously, and we sincerely apologise for any concern or inconvenience this incident may have caused,” Manage My Health said, adding that it remains committed to transparency as investigations into the cyberattack on Manage My Health continue. 

Ingram Micro, one of the world’s largest IT distributors, has confirmed that sensitive personal data was leaked following a ransomware attack that disrupted its operations last year. The Ingram Micro data breach incident, which paralysed the company’s logistics systems for nearly a week in July 2025, has now been linked to the theft of files containing employee and applicant information, affecting more than 42,000 individuals. The Ingram Micro data breach came to light through a mandatory filing with U.S. authorities, which revealed that 42,521 people were impacted, including five residents of the state of Maine. According to the company, the attackers accessed internal file repositories between July 2 and July 3, 2025, during an external system breach involving hacking. However, the breach was only discovered several months later, on December 26, 2025.

Ransomware Attack Led to Extended Disruption

The data exposure follows a ransomware attack that caused widespread operational disruption at Ingram Micro in July 2025. At the time, the company’s logistics were reportedly paralysed for about a week, affecting its ability to process and distribute products. While the immediate impact of Ingram Micro data breach on operations was known, it has now emerged that the attackers also exfiltrated sensitive files during the same period. In a notice sent to affected individuals, Ingram Micro said it detected a cybersecurity incident involving some of its internal systems on July 3, 2025. The company launched an investigation into the nature and scope of the issue and determined that an unauthorised third party had taken certain files from internal repositories over a two-day window.

Ingram Micro Data Breach: Personal and Employment Data Stolen

The compromised files included employment and job applicant records, containing a wide range of personal information. According to the Ingram Micro data breach notification, the stolen data may include names, contact information, dates of birth, and government-issued identification numbers such as Social Security numbers, driver’s licence numbers, and passport numbers. In addition, certain employment-related information, including work evaluations and application documents, was also accessed. The company noted that the types of affected personal information varied by individual. Ingram Micro employs approximately 23,500 people worldwide, and the breach affected both current and former employees, as well as job applicants. Ingram Micro said it took steps to contain and remediate the unauthorised activity as soon as the incident was detected. These measures included proactively taking certain systems offline and implementing additional security controls. The company also engaged leading cybersecurity experts to assist with its investigation and notified law enforcement. As part of its response to the Ingram Micro data breach, the company conducted a detailed review of the affected files to understand their contents. It was only after completing this review that Ingram Micro confirmed that some of the files contained personal information about individuals.

Support Offered to Affected Individuals

Ingram Micro is notifying impacted individuals and encouraging them to take steps to protect their personal information. Under U.S. law, affected individuals are entitled to one free credit report annually from each of the three nationwide consumer reporting agencies. The company has also arranged to provide complimentary credit monitoring and identity protection services for two years. In its notification, Ingram Micro urged people to remain vigilant by reviewing their account statements and monitoring their credit reports. The company included guidance on how to register for the free protection services and additional steps to reduce the risk of identity theft. For further assistance, Ingram Micro has set up a dedicated call centre for questions related to the breach. The company said it regrets any inconvenience caused and is working to address concerns raised by those affected.

Broader Implications for Corporate Cybersecurity

The incident highlights the growing risks organisations face from ransomware attacks that not only disrupt operations but also result in data theft. The delay between the occurrence of the breach in July and its discovery in December emphasizes the challenges companies face in detecting and containing sophisticated cyber intrusions. For large enterprises like Ingram Micro, which play a central role in global IT supply chains, the consequences of such attacks can extend beyond immediate operational losses. The exposure of sensitive employee and applicant data adds a long-term dimension to the impact, increasing the risk of identity theft and fraud for those affected. As investigations continue, the ransomware attack on Ingram Micro serves as a reminder of the importance of strong cybersecurity controls, continuous monitoring, and timely incident response to limit both operational disruption and data loss.

Cyble’s Annual Threat Landscape Report for 2025 documents a cybercrime environment that remained volatile even as international law enforcement agencies escalated disruption efforts. Large-scale takedowns, arrests, and infrastructure seizures failed to slow adversaries for long. Instead, cybercriminal ecosystems fractured, reorganized, and re-emerged across decentralized platforms, encrypted messaging channels, and invitation-only forums. The ransomware landscape, in particular, demonstrated a capacity for rapid regeneration that outpaced enforcement pressure.  According to Cyble’s report, ransomware was the most destabilizing threat category throughout 2025. Attacks expanded across government, healthcare, energy, financial services, and supply-chain-dependent industries. Many groups moved away from encryption-centric campaigns toward extortion-only operations, relying on data theft, public exposure, and reputational damage to extract payment. This shift reduced operational friction and shortened attack cycles, making traditional detection and containment models less effective.  Artificial intelligence further reshaped attacker operations. Cyble observed AI-assisted automation being embedded into multiple stages of the kill chain. Negotiation workflows were partially automated. Malware became more polymorphic. Intrusion paths were adapted in real time as defenses responded. These developments increased attack velocity while compressing dwell time, forcing defenders to operate with narrower margins for response. 

Measured Threat Activity Across Underground Ecosystems 

CRIL tracked 9,817 confirmed cyber threat incidents across forums, marketplaces, and leak sites during 2025. These incidents impacted organizations spanning critical infrastructure, government agencies, and law enforcement entities.  [caption id="attachment_108748" align="aligncenter" width="946"] sectors and regions targeted by threat actors in 2025 (Source: Cyble)[/caption] The breakdown of activity was heavily skewed toward monetized data exposure. 6,979 incidents involved breached datasets or compromised information advertised for sale. Another 2,059 incidents centered on the sale of unauthorized access, including credentials, VPN entry points, and administrative footholds. Government, law enforcement agencies (LEA), BFSI, IT & ITES, healthcare, education, telecommunications, and retail remained in the most consistently targeted sectors.  Geographic analysis showed a clear concentration of activity in Asia, where 2,650 incidents affected organizations through breaches, leaks, or access sales. North America followed with 1,823 incidents, while Europe and the United Kingdom recorded 1,779 incidents. At the country level, the United States, India, Indonesia, France, and Spain experienced the highest volume of targeting during the year. 

Ransomware Growth and Structural Expansion 

Cyble’s Annual Threat Landscape Report quantifies the scale of ransomware’s expansion over time. From 2020 to 2025, ransomware incidents increased by 355%, rising from roughly 1,400 attacks to nearly 6,500. While 2023 marked the largest year-over-year surge, 2025 produced the second-largest spike, with 47% more attacks than observed across the prior two years combined.  The ransomware landscape also broadened structurally. CRIL identified 57 new ransomware groups and 27 new extortion-focused groups emerging in 2025 alone. More than 350 new ransomware strains surfaced during the year, many derived from established codebases such as MedusaLocker, Chaos, and Makop. Rather than consolidating, the ecosystem continued to fragment, complicating attribution and enforcement. 

Affiliate Mobility and Repeat Victimization 

One of the most consequential trends documented in the Annual Threat Landscape Report was the recurrence of victim targeting. CRIL observed 62 organizations listed by multiple ransomware groups within the same year, sometimes within weeks. Across a five-year window, more than 250 entities suffered ransomware attacks more than once.  [caption id="attachment_108750" align="aligncenter" width="945"] Ransomware attack trends between 2020 and 2025 (Source: Cyble)[/caption] This pattern reflected widespread affiliate mobility. Ransomware-as-a-Service operators shared affiliates who moved between platforms, relisted victims, and reused stolen data to sustain pressure. Groups such as Cl0p, Qilin, Lynx, INC Ransom, Play, LockBit, and Crypto24 repeatedly claimed overlapping victims during short timeframes.  Several new groups, including Devman and Securotrop, initially operated within established RaaS programs before developing independent tooling and infrastructure. This progression blurred the line between affiliate and operator and further decentralized the ransomware landscape. 

Law Enforcement Pressure and Criminal Countermoves 

Law enforcement activity intensified throughout 2025. Authorities disrupted operations tied to CrazyHunters and 8Base and arrested or indicted affiliates associated with Black Kingdom, Conti, DoppelPaymer, RobbinHood, Scattered Spider, DiskStation, Ryuk, BlackSuit, and Yanluowang.  These actions forced tactical changes but did not suppress activity. CRIL confirmed insider recruitment efforts by Scattered Spider, LAPSUS$ Hunters, and Medusa. Other groups, including Play and MedusaLocker, publicly referenced similar recruitment strategies through announcements on their data leak sites. The ransomware landscape responded to enforcement pressure by becoming opaquer rather than less active. 

Tactical Shifts Toward Extortion-Only Models 

Operational realignment became more visible in 2025. Hunters International abandoned its RaaS model and rebranded as World Leaks, repositioning itself as an Extortion-as-a-Service provider while maintaining cross-relationships with RaaS operators such as Secp0. Analysis also indicated that Everest redirected part of its activity toward extortion-only campaigns, reducing reliance on encryption payloads.  [caption id="attachment_108751" align="aligncenter" width="291"] Rebranded ransomware groups reported in 2025 (Source: Cyble)[/caption] The year also saw widespread rebranding. Hunters International became World Leaks. Royal re-emerged as Chaos. LockBit 3.0 evolved into LockBit 4.5 and later 5.0. HelloKitty resurfaced as Kraken. At the same time, numerous groups dissolved or ceased operations, including ALPHV/BlackCat, Phobos/8Base, Cactus, RansomHub, and CrazyHunter. 

Victimology and Sector Impact 

Ransomware victimology data revealed 4,292 victims in the Americas, 1,251 in Europe and the UK, 589 across Asia and Oceania, and 202 within META-region organizations. The United States accounted for 3,527 victims, followed by Canada (360), Germany (251), the United Kingdom (198), Brazil (111), Australia (98), and India (67).  Sectoral impact remained uneven but severe. Manufacturing recorded 600 impacted entities, with industrial machinery and fabricated metal manufacturers bearing the brunt. Healthcare followed with 477 victims, where general hospitals and specialty clinics were repeatedly targeted to exploit the sensitivity of Personal Health Information. Construction, professional services, IT & ITES, BFSI, and government organizations also experienced sustained pressure. 

Supply Chain Exploitation and Infrastructure Risk 

Supply chain compromise emerged as a defining feature of the 2025 ransomware landscape. Cl0p’s exploitation of the Oracle E-Business Suite vulnerability CVE-2025-61882 affected more than 118 entities worldwide, primarily in IT & ITES. Among these victims were six organizations classified as critical infrastructure industries. Fog ransomware actors compounded supply chain risk by leaking GitLab source code from multiple IT firms.  Government and law enforcement agencies in the United States were targeted aggressively, with more than 40 incidents impacting essential public services. Semiconductor manufacturers in Taiwan and the United States remained priority targets due to their role as global production hubs. European semiconductor developers also faced attacks, though at lower volumes. 

High-Impact Incidents and Strategic Targeting 

Healthcare attacks continued to cause operational disruption, with repeated exposure of PHI used to intensify extortion pressure. Telecom providers faced sustained risk due to large-scale theft of customer PII, which threat actors actively traded and reused for downstream fraud. In several cases, ransomware groups removed breach disclosures from leak sites shortly after publication, suggesting successful ransom payments or secondary data sales.  Aerospace and defense organizations experienced fewer incidents but higher impact. One of the most significant events in 2025 was the attack on Collins Aerospace, which disrupted operations across multiple European airports and exposed proprietary defense technologies. Telemetry indicated disproportionate targeting of NATO-aligned defense developers.  Cyble’s Annual Threat Landscape Report makes one conclusion unavoidable: ransomware is no longer a disruption-driven threat; it is an intelligence-led, adaptive business model that thrives under pressure. The data from 2025 shows an ecosystem optimized for speed, affiliate mobility, and supply-chain leverage, with AI now embedded deep into extortion workflows and intrusion paths.   The Cyble Annual Threat Landscape Report provides complete datasets, regional breakdowns, threat actor analysis, and tactical intelligence drawn directly from CRIL’s monitoring of underground ecosystems. Readers can download the report to access the detailed findings, charts, and threat mappings referenced throughout this analysis.  Organizations looking to operationalize this intelligence can also book a Cyble demo to see how Cyble’s AI-powered threat intelligence platform translates real-world adversary data into actionable defense, combining automated threat hunting, supply-chain risk visibility, and predictive analytics driven by Cyble’s latest generation of agentic AI. 

The second week of 2026 continues to fetch new cybersecurity issues that affect national security, public stability, business operations, and technology governance. Developments this week ranged from senior intelligence leadership appointments and nationwide internet shutdowns to data breaches, new cybercrime services, and regulatory pressure on generative AI platforms.  Across regions and sectors, the incidents reflect how cyber risks now extend beyond technical environments into policy decisions, civil rights, financial systems, and public trust. Governments, enterprises, and technology providers faced challenges tied to resilience, accountability, and threat escalation, reinforcing cybersecurity’s role as a strategic issue rather than a purely operational one. 

The Cyber Express Weekly Roundup 

X Tightens Grok AI Restrictions 

X (previously Twitter) introduced new restrictions on its AI chatbot Grok to prevent the creation of nonconsensual sexualized images, including content that may constitute child sexual abuse material. Measures include blocking sexualized image edits of real people, limiting image generation to paid users, and applying geoblocking where such content is illegal. The changes follow widespread abuse reports and ongoing investigations by U.S. and European authorities. Read more… 

NSA Appoints Timothy Kosiba as Deputy Director 

The National Security Agency announced the appointment of Timothy Kosiba as its 21st Deputy Director, making him the agency’s senior civilian official responsible for strategy execution, policy, and operational priorities. Kosiba brings more than 30 years of experience across the U.S. intelligence community, including senior roles at the NSA and U.S. Cyber Command, overseas liaison assignments, and leadership of major operational units. Read more… 

Iran Enters Fourth Day of Nationwide Internet Blackout 

Iran entered a fourth day of a nationwide internet blackout amid widespread unrest linked to the collapse of the rial, now trading at 1.4 million to the U.S. dollar. Authorities reduced national connectivity to approximately 1%, cutting off communications for more than 80 million people. Reports indicate thousands have been detained and hundreds killed since protests began, drawing international concern over censorship, human rights, and crisis communications. Read more… 

Dr. Amit Chaubey Warns of Expanding “Business Blast Radius” 

In an interview with The Cyber Express, Dr. Amit Chaubey said cyber incidents in 2026 are creating a broader “business blast radius,” extending beyond IT into national resilience, legal exposure, operational continuity, and public trust. He identified failures in external dependencies, such as cloud services, identity systems, connectivity, and key suppliers, as the primary drivers of large-scale disruption, warning that many organizations remain unprepared for sustained degraded operations. Read more… 

Endesa Data Breach Affects Energía XXI Customers 

Spanish energy provider Endesa disclosed a data breach involving unauthorized access to its commercial platform, impacting customers of its regulated operator Energía XXI. Exposed data includes identification details, contact information, national identity numbers, contract data, and possible payment information such as IBANs. Endesa stated that account passwords were not compromised and reported no evidence of data misuse as investigations continue. Read more… 

New Android Banking Malware deVixor Identified 

Cyble researchers identified a new Android banking malware called deVixor, a remote access trojan combining credential theft, device surveillance, and ransomware functionality. Active since October, the malware targets Iranian users through phishing sites distributing malicious APKs and is operated as a service-based criminal platform using Telegram and Firebase infrastructure. Researchers noted the malware’s scalability and long-term operational design. Read more… 

Microsoft Disrupts RedVDS Cybercrime Platform 

Microsoft announced the takedown of RedVDS, a cybercrime-as-a-service platform costing $24 per month that provided criminals with disposable virtual machines for fraud operations. In coordination with international law enforcement, Microsoft seized infrastructure linked to an estimated $40 million in reported U.S. fraud losses, with victims across healthcare, real estate, nonprofit, and other sectors. The action marks Microsoft’s 35th civil case against cybercrime infrastructure. Read more… 

Weekly Roundup Takeaway 

This week’s events highlight how cybersecurity in 2026 directly affects governance, economic stability, civil rights, and technology accountability. From intelligence leadership changes and state-imposed internet shutdowns to advanced malware, large-scale fraud platforms, and AI safety enforcement, cyber risks now demand coordinated action across policy, regulation, and operations rather than technical controls alone. 

Spanish energy provider Endesa and its regulated electricity operator Energía XXI have begun notifying customers after detecting unauthorized access to the company’s internal systems, resulting in the exposure of personal and contract-related data. The Endesa data breach incident, publicly disclosed by the company, impacts customers linked to Endesa’s commercial platform and is currently under investigation. Endesa, Spain’s largest electric utility company and a subsidiary of the Enel Group, provides electricity and gas services to millions customers across Spain and Portugal. In total, the company reports serving approximately 22 million clients. The Endesa data breach specifically affects customers of Energía XXI, which operates under Spain’s regulated energy market.

Unauthorized Access Detected on Commercial Platform

According to Endesa, the security incident involved unauthorized and illegitimate access to its commercial platform, enabling attackers to view sensitive customer information tied to energy contracts. In a notification sent to affected customers, the company acknowledged the Endesa data breach, stating: “Despite the security measures implemented by this company, we have detected evidence of unauthorized and illegitimate access to certain personal data of our customers related to their energy contracts, including yours.” The company clarified that while account passwords were not compromised, other categories of data were potentially accessed during the incident. [caption id="attachment_108537" align="aligncenter" width="823"] Image Source: X[/caption]

Types of Data Potentially Exposed in Endesa Data Breach

Based on the ongoing investigation, Endesa confirmed that attackers may have accessed or exfiltrated the following information:

• Basic identification data
• Contact information
• National identity card numbers
• Contract-related data
• Possible payment details, including IBANs

Despite the scope of exposed data, Endesa emphasized that login credentials remained secure, reducing the likelihood of direct account takeovers.

Endesa Activates Incident Response Measures

Following detection of the Endesa data breach, the company activated its established security response protocols to contain and mitigate the incident. In its official statement, Endesa detailed the actions taken: “As soon as Endesa Energía became aware of the incident, the established security protocols and procedures were activated, along with all necessary technical and organizational measures to contain it, mitigate its effects, and prevent its recurrence.” These actions included blocking compromised internal accounts, analyzing log records, notifying affected customers, and implementing enhanced monitoring to detect further suspicious activity. The company confirmed that operations and services remain unaffected.

Authorities Notified as Investigation Continues

As required under applicable regulations, Endesa notified the Spanish Data Protection Agency and other relevant authorities after conducting an initial assessment of the incident. The company stated that the investigation is ongoing, involving both internal teams and external suppliers, to fully understand the cause and impact of the breach. Addressing customer concerns, Endesa noted: “As of the date of this communication, there is no evidence of any fraudulent use of the data affected by the incident, making it unlikely that a high-risk impact on your rights and freedoms will materialize.”

Customers Warned of Potential Phishing and Impersonation Risks

While no misuse of data has been identified so far, Endesa acknowledged potential risks associated with the exposed information. Customers have been urged to remain vigilant against identity impersonation, data misuse, phishing attempts, and spam campaigns. The company advised affected individuals to report any suspicious communications to its call center and to avoid sharing personal or sensitive information with unknown parties. Customers were also encouraged to contact law enforcement in case of suspected fraudulent activity. The Cyber Express Team has contacted Energía XXI and Endesa seeking further clarification on the incident and its impact. However, at the time of publication, no additional response had been received from either entity.

A Kyowon Group cyberattack has just been revealed, making the incident one of the latest breaches affecting South Korean companies in recent weeks. Amid ongoing investigations into breaches at companies such as KT, the country’s three major telecommunications firms, and Lotte Card, the Kyowon Group cyberattack has raised concerns due to the company’s extensive customer base across its many subsidiaries.  According to the latest updates on its website, Kyowon Group detected signs of an external intrusion on the morning of January 10. After identifying abnormal activity, the company immediately shut down parts of its internal systems and began emergency recovery measures. The incident was publicly acknowledged on January 11, when access to Kyowon Group’s main website and several affiliated sites became unavailable. 

Systems Shut Down After the Kyowon Group Cyberattack  

As of January 12, a service disruption notice was displayed across Kyowon Group and subsidiary websites, stating, “Web service is unavailable due to unexpected disruptions.” At that time, users were still unable to access online services, indicating the impact of the Kyowon Group cyberattack was ongoing.  [caption id="attachment_108477" align="alignnone" width="807"] Kyowon Group alerts users to a cyberattack on its systems (Source: Kyowon Group)[/caption] A Kyowon Group representative confirmed the breach, stating, “We have confirmed indications of a breach,” while emphasizing that investigations were still underway. The representative added, “We are still investigating whether any personal information has been leaked.” The company also announced that it planned to release an official statement the following morning once more details were confirmed. 

Multiple Affiliate Websites Go Offline as Recovery Efforts Continue 

Further disclosures revealed that Kyowon Group believes the incident may be linked to ransomware activity. On Monday, the company said it had shut down parts of its internal network after detecting what it described as suspicious behavior consistent with a ransomware attack. Kyowon Group explained that abnormal activity was first identified at approximately 8 a.m. on Saturday, January 10, prompting immediate action to isolate affected systems and block external access.  Several websites operated by Kyowon Group affiliates remained inaccessible as of Monday. A notice on the Kyowon Tour website confirmed that the service was unavailable. These disruptions highlighted the broad operational impact of the Kyowon Group hacking incident, which affected multiple brands under the group’s umbrella.  Kyowon Group reported the suspected breach to the Korea Internet & Security Agency (KISA) and relevant investigative authorities shortly after identifying the issue. The company said it is currently restoring systems while conducting comprehensive security checks to determine the scope of the intrusion. 

Company Reports Incident to Authorities, Probes Possible Ransomware Involvement 

“We are working with professional security personnel and related agencies to conduct a detailed investigation into the cause of the breach, the scope of its impact, and whether any data was affected, while carrying out recovery work,” Kyowon Group said in an official statement. The company also addressed concerns over customer data, stating, “We are also checking whether any personal information was leaked. If a leak is confirmed, we will promptly and transparently notify customers in accordance with relevant laws and procedures.”  Kyowon Group added that it plans to gradually restore access to its websites and related services as systems are secured. “We will mobilize all available resources to stabilize services and prioritize customer protection as we work toward full recovery,” the company said.  The cyberattack on Kyowon Group is particularly important given the group’s diverse business portfolio and large customer base. Kyowon Group operates education-focused brands such as Kyowon Kumon and Red Pen, which provide after-school learning materials. It also runs lifestyle and service-oriented businesses, including the Wells home appliance brand, Kyowon Life, a funeral service company, Kyowon Invest, Kyowon Travel, The Suites Hotel, and Kyowon Tour. 

Canopy Health confirms it suffered a serious cyber intrusion that went undisclosed to patients for six months. The delayed notification has triggered anger and deep concern among those affected, many of whom say the Canopy Health data breach has eroded their confidence in health providers and the systems meant to protect sensitive personal information.  The Canopy Health cyberattack was publicly acknowledged this week after months of behind-the-scenes investigation. In an update posted on its website, Canopy Health said it identified the incident on 18 July 2025, when it detected that an unknown person had “temporarily obtained unauthorized access” to part of its internal systems used by its administration team.  Following a forensic investigation conducted by external cybersecurity experts, the organization said it had been advised that “unauthorized access to one of our servers likely occurred, and some data may have been copied.” Canopy Health added that the incident had since been contained, but confirmed the investigation was ongoing. 

Patients React to the Canopy Health Data Breach 

According to Radio New Zealand, a woman who requested anonymity said she only learned about the Canopy Health data breach after receiving an email from the company this week. “Six months is an outrageous amount of time to keep the breach secret,” she said.  She had previously been referred to one of Canopy Health’s clinics for mammograms under the government-funded national breast screening program, BreastScreen Aotearoa, and had also used its diagnostic imaging services. The woman said the email she received claimed there was “no indication that any credit card, banking information or identity documents were affected.” However, she noted this appeared to contradict Canopy Health’s website statement, which acknowledged hackers may have “accessed a small number of bank account numbers.”  The woman, who is also a user of the Manage My Health platform, said that beyond what she described as “obviously inadequate data security systems,” the slow and unclear communication from both companies was “completely unacceptable.” “I am angry, and my confidence in health services and data security in this country is at an all-time low,” she said. 

Concerns Over Financial and Identity Information 

Another Auckland resident, also granted anonymity by RNZ, said she was referred to Canopy Health for a mammogram through BreastScreen Aotearoa and only received a letter about the breach in mid-December. “It was definitely not acceptable that this happened in July, but I only received a letter months later,” she said. “I would never have known if they had not sent that letter. But in the period of time they’ve taken to send it to me, anything could have happened.”  She said she was not reassured by Canopy Health’s assertion that it was “unlikely” patients’ identities were at risk. “If any of my information were compromised in any way, it would affect me,” she said. “I don’t know what would be out there, especially with the job I do—what if it fell into the hands of the wrong person and was used against me?”  Under a Q&A section published on its website, Canopy Health said the hacker “may have accessed a small number of bank account numbers, which had been provided to Canopy for payment or refund purposes.” The company said it was “directly notifying potentially affected individuals” and added that it was “unlikely the threat actor can take significant action with these details, as sensitive bank account information is highly protected.” Patients concerned about the Canopy Health data breach were advised to contact their banks. 

Second Health Data Incident Raises Wider Questions 

The Canopy Health cyberattack comes amid heightened scrutiny of data security in the health sector. In late December, patient portal provider Manage My Health confirmed it had identified a separate security incident involving unauthorized access to its platform. The company said between 6 and 7 percent of its approximately 1.8 million registered users may have been affected.  Manage My Health later said more than half of impacted patients had received notification emails, and that unaffected users could see their status within the app. Of the roughly 125,000 patients affected by the ransomware attack, more than 80,000 are based in Northland—the only region where Health NZ uses Manage My Health to share hospital discharge summaries, outpatient clinic letters, and referral notifications with patients.  The operators of Manage My Health said they have received “independent confirmation” from IT experts that vulnerabilities in its code have now been fixed. Meanwhile, the fallout from the Canopy Health data breach and the broader Canopy Health cyberattack continues to raise serious questions about transparency, accountability, and the protection of patient data across the healthcare system. 

The opening week of 2026 has already highlighted the complexity of global cyber threats, with incidents affecting governments, educational institutions, and corporations alike. From school closures to corporate breaches and international policy shifts, cybersecurity news demonstrates that attacks are no longer confined to technical systems; they have real-world consequences for operations, public trust, and the protection of sensitive data.  This week, digital risks have shown their reach across multiple sectors: schools are grappling with ransomware and system outages that disrupt learning, corporations face data breaches due to human error and weak authentication practices, and governments are reevaluating international cooperation in cybersecurity.  The early events of 2026 underline that managing cyber risk requires not just technology, but coordinated response, regulatory oversight, and awareness at every level, from individual users to global policymakers. 

The Cyber Express Weekly Roundup 

Higham Lane School Cyberattack Forces Temporary Closure 

Higham Lane School in Nuneaton, England, closed temporarily after a cyberattack disrupted IT systems, affecting 1,500 students. Staff and students must avoid platforms like Google Classroom while cybersecurity experts and the Department for Education investigate. Read more... 

Hacktivist Takes Down White Supremacist Websites Live at Conference 

Hacktivist Martha Root gained attention by deleting white supremacist websites live at the Chaos Communication Congress in Hamburg. Targeted platforms included WhiteDate, WhiteChild, and WhiteDeal. Root also exposed partial data from over 6,000 WhiteDate profiles, sharing it with controlled-access platforms DDoSecrets and HaveIBeenPwned. Read more... 

UK Announces £210 Million Cybersecurity Overhaul 

The UK government announced a £210 million cybersecurity initiative to address “critically high” risks across public sector systems, many of which rely on vulnerable legacy platforms. The plan includes creating a Government Cyber Unit for cross-department coordination and accountability, establishing the Government Cyber Coordination Centre (GC3) for strategic defense, and launching the first Government Cyber Profession to tackle skills shortages, supported by a Cyber Resourcing Hub. Read more... 

Australian Insurer Prosura Suffers Cyber Incident 

In Australia, Prosura temporarily shut down online policy management and claim portals following unauthorized access to internal systems on January 3, 2026. Customer names, emails, phone numbers, and policy details may have been exposed, though payment information remained secure. Read more... 

U.S. Withdraws from International Cyber Coalitions 

The United States announced its withdrawal from 66 international organizations related to cybersecurity, digital rights, and hybrid threat cooperation. These include the Hybrid CoE, GFCE, and Freedom Online Coalition. Officials cited misalignment with U.S. interests, raising concerns over reduced intelligence sharing and potential gaps in global cyber defense. Read more... 

Weekly Takeaway 

This week’s cybersecurity news from The Cyber Express shows that 2026 is already marked by complex threats. From school closures and corporate breaches to government reforms and international policy shifts, data breaches impact education, public services, and businesses. Protecting digital systems now requires vigilance, technical skill, and proactive governance, making strong cybersecurity strategies essential to protect operations, trust, and public safety worldwide. 

Australian insurance provider Prosura is investigating a cyber incident after detecting unauthorized access to parts of its internal systems, which has resulted in fraudulent emails being sent to some customers. The Prosura cyberattack, identified in early January, led the insurer to temporarily shut down key online services while it works to secure its systems and determine the full extent of the breach.  Prosura confirmed that it first identified the cyberattack on Prosura on January 3, 2026. In a media statement, the company said it discovered “unauthorized access to parts of our systems” and acted immediately to limit further risk.  “As a precaution, we have temporarily disabled the ability to purchase a policy, submit or manage a claim, or administer an existing policy via our self-service portal while we investigate and secure our environment,” Prosura said.  A subsequent Security Incident Update issued on Thursday, 8 January, provided additional clarity. According to the insurance provider, an unknown third party gained unauthorized access to a portion of its internal IT systems. Prosura also acknowledged that it was aware of online activity related to the incident and was prioritizing efforts to verify those claims.  While services remain offline, Prosura said it is conducting an urgent review of its systems and deploying additional security measures to prevent a recurrence of the Prosura cyberattack. 

Fraudulent Emails Linked to the Prosura Cyberattack

Alongside the system intrusion, Prosura reported that some customers received fraudulent emails connected to their existing or completed policies. These messages may reference the cyberattack on Prosura and instruct recipients to contact a third-party email address. The insurer urged customers not to respond to these emails, not to contact any external addresses mentioned, and to avoid clicking on links or opening attachments in unexpected messages. Customers were also advised to remain alert to phishing attempts via email, phone calls, or text messages that may use personal information to appear legitimate.

Customer Information Potentially Impacted 

Based on its investigation so far, Prosura believes some customer data may have been accessed during the cyberattack. The information potentially affected includes names, email addresses, phone numbers, country of residence, travel destinations, invoicing and pricing details, as well as policy start and end dates.  For customers who have previously made claims, the breach may also have exposed additional claim-related information. This could include driver’s licenses and associated images that were submitted as part of supporting documentation.  Prosura noted that there is no evidence that payment data was compromised. “Importantly, there is no indication that payment information (including credit card details) have been accessed,” the company stated, adding that it does not store credit card details within its systems. 

Regulatory Notifications and Ongoing Response 

The insurance provider confirmed it has notified both the Australian Cyber Security Centre and the Office of the Australian Information Commissioner, and will alert other regulatory bodies as required. Prosura is also working with external cybersecurity specialists to investigate what happened, strengthen system security, and monitor for further developments.  “We are taking this incident extremely seriously. We will work with specialist cybersecurity experts to investigate what happened, secure our systems, and restore services safely,” the company said.  Despite the disruption, Prosura reassured customers that active policies remain valid. Policyholders with upcoming travel plans were advised that they can proceed as planned, as policy validity has not been affected by the incident. Customers needing claim support were instructed to contact Prosura directly via its official support email with “Claim” included in the subject line. 

Company Apology and Next Steps 

In a statement signed by Managing Director Mike Boyd, Prosura acknowledged the concern caused by the incident. “We know this is concerning, and we are sorry this has happened,” Boyd said. “Our focus is on protecting our customers, supporting those affected, and restoring services safely.”  Prosura said it will contact impacted parties directly once it confirms what information was involved and will provide further guidance and support as required. The company added that it will continue to issue updates as new facts emerge, noting that premature disclosures could lead to misinformation.  As the Prosura cyberattack investigation continues, the insurer has reiterated its advice for customers to stay vigilant, avoid suspicious communications, and rely only on official updates published through Prosura’s website and direct customer communications. 

Infostealer infections compounded by a lack of multi-factor authentication (MFA) have resulted in dozens of breaches at major global companies and calls for greater MFA use. The issue came to light in a Hudson Rock post that detailed the activity of a threat actor operating under the aliases “Zestix” and “Sentap.” The threat actor has auctioned data stolen from the corporate file-sharing portals of roughly 50 major global enterprises, targeting ShareFile, OwnCloud, and Nextcloud instances “belonging to critical entities across the aviation, robotics, housing, and government infrastructure sectors,” the report said, taking pains to note that lack of MFA was the primary cause. “... these catastrophic security failures were not the result of zero-day exploits in the platform architecture, but rather the downstream effect of malware infections on employee devices combined with a critical failure to enforce Multi-Factor Authentication (MFA),” the report said. Cyble’s threat intelligence database contains 56 dark web reports and client advisories on Zestix and Sentap going back to mid-2024, and the threat actor appears be connected to a significantly older X/Twitter account, according to a May 2025 Cyble profile. DarkSignal recently did an extensive profile of the threat actor.

Infostealers and No MFA Make Attacks Easy

The Hudson Rock report looked at 15 data breaches claimed by Zestix/Sentap and noted a common attack flow:

• Infection: “An employee inadvertently downloads a malicious file. The infostealer executes and harvests all saved credentials and browser history.”
• Aggregation: “These logs are aggregated in massive databases on the dark web. Zestix parses these logs specifically looking for corporate cloud URLs (ShareFile, Nextcloud).”
• Access: “Zestix simply uses the valid username and password extracted from the logs. Because the organizations listed below did not enforce MFA, the attacker walks right in through the front door. No exploits, no cookies – just a password.”

“The era where brute-force attacks reigned supreme is waning,” the report said. “In its place, the Infostealer ecosystem has risen to become the primary engine of modern cybercrime. “Contrary to attacks involving sophisticated cookie hijacking or session bypasses, the Zestix campaign highlights a far more pedestrian – yet equally devastating – oversight: The absence of Multi-Factor Authentication (2FA).” Zestix relies on Infostealer malware such as RedLine, Lumma, or Vidar to infect personal or professional devices – and sometimes the gap between malware infection and exploitation is a long one, as old infostealer logs have led to new cyberattacks in some cases. “A critical finding in this investigation is the latency of the threat,” Hudson Rock said. “While some credentials were harvested from recently infected machines, others had been sitting in logs for years, waiting for an actor like Zestix to exploit them. This highlights a pervasive failure in credential hygiene; passwords were not rotated, and sessions were never invalidated, turning a years-old infection into a present-day catastrophe.”

ownCloud Calls for Greater MFA Use

ownCloud responded to the report with a call for greater MFA use by clients. In a security advisory, the company said, “The ownCloud platform was not hacked or breached. The Hudson Rock report explicitly confirms that no zero-day exploits or platform vulnerabilities were involved.” Stolen credentials from infostealer logs were "used to log in to ownCloud accounts that did not have Multi-Factor Authentication (MFA) enabled. As the report notes: ‘No exploits, no cookies—just a password.’” ownCloud said clients should immediately enable MFA on their ownCloud instances if they haven’t done so already. “MFA adds a critical second layer of verification that prevents unauthorized access even when credentials are compromised,” the company said. Recommended steps include:

• Enabling MFA on all user accounts using ownCloud’s two-factor authentication apps
• Resetting passwords for all users and requiring “strong, unique credentials”
• Reviewing access logs for suspicious activity
• Invalidating active sessions to force re-authentication with MFA

 

Taiwan faced a surge in Chinese cyberattacks in 2025, with government data showing that the island’s critical infrastructure was targeted an average of 2.6 million times per day. According to Taiwan’s National Security Bureau, the scale, frequency, and coordination of these Taiwan cyberattacks suggest a sustained and deliberate campaign that intensified alongside military and political pressure from Beijing.  The bureau reported that Chinese cyberattacks against Taiwan’s key infrastructure rose 6% compared with the previous year. Sectors experiencing the most severe impact included energy systems, hospitals, banks, emergency rescue services, and telecommunications networks. The agency said the average number of daily attacks reached approximately 2.63 million in 2025, marking an 113% increase from 2023, when the bureau first began publishing such figures.  “These attacks indicate a deliberate attempt by China to compromise Taiwan’s crucial infrastructure comprehensively and to disrupt or paralyze Taiwanese government and social functions,” the report stated. 

Chinese Cyberattacks Timed With Military Drills and Political Events 

Taiwanese authorities said many of the Chinese cyberattacks were closely synchronized with Chinese military exercises and politically sensitive moments, reinforcing concerns over what Taipei describes as “hybrid warfare.” The bureau documented that China conducted 40 “joint combat readiness patrols” in 2025, involving military aircraft and naval vessels operating near Taiwan. Cyber activity escalated during 23 of those patrols.  The report cited specific incidents in which Taiwan cyberattacks intensified during major political events. In May, cyber activity spiked when President Lai Ching-te delivered a speech marking his first year in office. Another escalation occurred in November when Vice President Hsiao Bi-khim spoke at a meeting with lawmakers at the European Parliament.  “China’s moves align with its strategic need to employ hybrid threats against Taiwan during both peacetime and wartime,” the report said.  Taiwan has repeatedly accused China of using a combination of daily military drills, disinformation campaigns, and cyber operations to weaken the island’s defenses and morale. Beijing claims Taiwan as its own territory and has not ruled out the use of force to bring the island under its control. Taipei rejects China’s sovereignty claims, stating that only Taiwan’s people can decide the island’s future, reported The Japan Times.

Hospitals, Energy Systems, and Banks Among Primary Targets 

The National Security Bureau said the Chinese cyberattacks employed a wide range of techniques designed to disrupt daily life and undermine public trust. These included distributed denial-of-service (DDoS) attacks aimed at overwhelming networks and halting services, as well as man-in-the-middle attacks used to intercept communications, steal sensitive data, and penetrate telecommunications infrastructure.  Hospitals, emergency services, and energy providers experienced some of the sharpest year-on-year increases in attack volume. Banks and financial systems were also repeatedly targeted, raising concerns about broader economic disruption.  Science parks anchoring Taiwan’s semiconductor industry were identified as another major focus. Facilities linked to advanced chip manufacturing, including firms such as TSMC, were subjected to repeated cyber intrusions. According to the report, attackers used various methods to steal advanced technologies and proprietary information. 

Technology Competition and Beijing’s Strategic Goals 

The bureau linked the cyber campaign to China’s broader economic and technological ambitions. The report said the attacks were “an attempt to support China’s self-reliance in technology and economic development and prevent China from being put in a disadvantaged position in the U.S.-China technology competition.”  Despite the detailed findings, China has consistently denied involvement. The Chinese government routinely rejects accusations related to hacking or cyber espionage. China’s Taiwan Affairs Office did not respond to a request for comment on the report.  Taiwanese officials argue that the sheer scale, timing, and coordination of the attacks point to an organized effort rather than isolated incidents. With Chinese cyberattacks and Taiwan cyberattacks continuing to rise in volume, the bureau warned that protecting digital infrastructure has become as critical as traditional military defense. 

The hacking group Crimson Collective claims to have obtained the personal data of more than a million residential customers of U.S. fiber broadband provider Brightspeed. In a January 4 Telegram post, the group behind a Red Hat GitLab breach last year claimed to possess “over 1m+ residential user PII's,” or personally identifiable information. Crimson Collective said it would release a data sample on January 5 to give Brightspeed “some time first to answer to us.” It is not known what if any communications occurred between the company and the hacker group, but Crimson Collective made good on that threat and released the data sample today.

Crimson Collective Details Brightspeed Claims

Crimson Collective claims to possess a wide range of data on Brightspeed customers, including:

• Customer account master records containing names, email addresses, phone numbers, billing and service addresses, and account status
• Network type, consent flags, billing system, service instance, network assignment, and site IDs
• Address qualification responses with address IDs, full postal addresses, latitude and longitude coordinates, qualification status (fiber/copper/4G), maximum bandwidth, drop length, wire center, marketing profile codes, and eligibility flags
• User-level account details keyed by session/user IDs, “overlapping with PII including names, emails, phones, service addresses, account numbers, status, communication preferences, and suspend reasons”
• Payment history, including payment IDs, dates, amounts, invoice numbers, card types and masked payment card numbers (last 4 digits), gateways, and status
• Payment methods per account, including default payment method IDs, gateways, masked credit card numbers, expiry dates, bank identification numbers (BINs), holder names and addresses, status flags (Active/Declined), and created/updated timestamps
• Appointment and order records by billing account, including order numbers, status, appointment windows, dispatch and technician information, and install types.

Potential Risk for Brightspeed Users

In an email exchange with The Cyber Express, a Crimson Collective spokesperson noted that while the data doesn’t include password or credit card data that could put users at imminent risk of breach or theft, the group said that “Every PII is important, with all this data people can easily start big sophisticated phishing campaigns or even get access to specific people's infrastructure.” Asked if the group has established persistent access to Brightspeed’s environment, the spokesperson replied, “Cannot disclose this.” The Cyber Express also reached out to Brightspeed for comment and will update this article with any response. However, the company reportedly told Security Week that it is “currently investigating reports of a cybersecurity event. As we learn more, we will keep our customers, employees and authorities informed. We take the security of our networks and protection of our customers’ and employees’ information seriously and are rigorous in securing our networks and monitoring threats.”

Manage My Health (MMH) has released a detailed update on the ongoing investigation following a cyberattack that was first reported on 30 December 2025. The ManageMyHealth hack has affected a portion of the organization's user base, prompting urgent responses from MMH, Health New Zealand, and law enforcement agencies.  In its statement on 5 January 2026, MMH acknowledged the anxiety caused to both healthcare providers and patients. The company described the cyberattack on ManageMyHealth as a form of criminal activity targeting its systems and apologized for any distress caused. MMH confirmed it is coordinating closely with New Zealand Police, Health New Zealand, and other relevant authorities to respond to the incident.  “The immediate priority was to secure systems, protect patient data, and verify the accuracy of information before communicating with practices and patients,” MMH stated. The organization emphasized its commitment to transparency and pledged to provide daily updates whenever possible, though it acknowledged that legal and operational constraints can sometimes delay information release. 

The Deeper Insight into the ManageMyHealth Hack 

Independent forensic analysis has confirmed that the cyberattack on ManageMyHealth targeted only a specific module within the app, Health Documents, rather than the entire platform. Preliminary investigations indicate that approximately 6–7% of the 1.8 million registered users may have had documents accessed.  MMH clarified that there is currently no evidence of core patient database access, modification, destruction of records, or theft of user login credentials. However, the organization continues to work with cybersecurity specialists to verify which documents were affected and to ensure a full understanding of the breach.  “We have identified and closed the specific security gaps that allowed unauthorized access,” MMH said in its 3 January 2026 update. Additional safeguards, such as stricter login attempts and strengthened storage for health documents, have been implemented. Users are also encouraged to enable two-factor authentication via supported apps, including Google Authenticator and Microsoft Authenticator, to enhance account security. 

Coordinated Response to Data Breach at MMH 

In response to the MMH data breach, the organization has begun communications with general practices, providing secure, confidential lists of affected patients. Notifications to individuals are expected to commence shortly, coordinated with Health New Zealand, General Practice New Zealand (GPNZ), and the relevant Primary Health Organizations (PHOs).  MMH has also established measures to prevent further dissemination of sensitive information. Injunction orders have been obtained from the High Court to block third parties from distributing potentially compromised data, and an international monitoring team is actively tracking known leak sites for any illicit publications. “The cyberattack constitutes criminal activity, and any unlawful use of patient data will be pursued through legal action,” the company stated, while refraining from commenting on potential ransom demands, which remain under investigation by the New Zealand Police.

Support for Patients and Healthcare Providers 

To assist those affected, MMH plans to launch a dedicated 0800 helpline and online support desk. The company is working to ensure clear guidance for healthcare providers handling patient inquiries, aiming for consistent and accurate communication across the sector. MMH’s CEO, Vino Ramayah, highlighted the importance of restoring public trust. “We appreciate the patience of patients, practices, and partners while this complex investigation continues. Our priority remains transparency, system security, and appropriate support for all affected parties,” he said.  Independent forensic specialists continue to investigate the breach, and MMH has confirmed full cooperation with the Ministry of Health review. The findings are expected to inform improvements not only for MMH but across the broader health sector, reinforcing cybersecurity standards and preparedness against future incidents.  While MMH has taken immediate steps to secure its systems and support affected users, the investigation into the data breach at MMH remains ongoing, with updates expected as forensic confirmation and legal processes progress. This is an ongoing story, and The Cyber Express is closely monitoring the situation. We’ll update this post once we have more information on the ManageMyHealth hack or any further information from the company. 

A newly disclosed security warning has drawn attention to potential risks at the HitBTC Exchange after blockchain security firm SlowMist reported identifying a potentially critical vulnerability on the platform.   SlowMist revealed the issue in a public post on X (formerly Twitter), after efforts to contact HitBTC through direct messages reportedly went unanswered. According to the blockchain security firm, responsible disclosure protocols were followed before the public warning, but the absence of acknowledgment left researchers with limited options to ensure user safety.  In its official statement, SlowMist wrote, “We have identified a potential critical vulnerability and reached out via DM in advance under responsible disclosure, but have not yet received a response. Please contact us promptly to coordinate next steps.”  Although no technical details were released to prevent misuse, SlowMist stressed that the vulnerability could pose serious risks to both user funds and sensitive data held on the HitBTC Exchange.  

HitBTC Exchange and Ongoing Cryptocurrency Security Concerns 

Founded in 2013, HitBTC Exchange is one of the oldest cryptocurrency trading platforms still in operation. Registered in the British Virgin Islands, the exchange offers access to more than 250 cryptocurrencies and over 800 trading pairs. Recent figures show that HitBTC processed more than $110 million in trading volume within 24 hours.  Despite its long-standing presence, the platform has faced criticism in recent years related to transparency, customer support responsiveness, and communication practices. The current incident has intensified those concerns, especially since similar situations have occurred elsewhere in the cryptocurrency sector.  The warning involving HitBTC marks at least the third instance in recent weeks where SlowMist publicly disclosed vulnerability concerns after failing to establish contact with an exchange. In December, the firm issued comparable notices to Seychelles-registered Azbit and Turkey-based ICRYPEX Global, both of which reportedly did not respond despite managing daily trading activity. 

Data Shows Rising Impact of Cryptocurrency Attacks 

The unfolding situation reflects broader security trends affecting the cryptocurrency ecosystem. According to SlowMist’s 2025 annual security report, approximately 200 blockchain-related security incidents occurred during the year, resulting in estimated losses of $2.935 billion. While the number of incidents declined compared to 2024, the total financial impact increased by 46%, indicating more targeted and high-impact attacks. Exchange-related incidents numbered only 12 in 2025 but accounted for losses totaling $1.809 billion. In contrast, decentralized finance (DeFi) protocols experienced 126 incidents, leading to $649 million in losses. Supporting this data, blockchain security firm CertiK reported that $117.8 million was lost to cryptocurrency exploits in December 2025 alone.  SlowMist continues to play an important role in monitoring and mitigating these threats. During 2025, the firm helped freeze or recover approximately $19.29 million in stolen assets using its threat intelligence network and MistTrack analysis platform. Across 18 major incidents, around $387 million of $1.957 billion in stolen funds was recovered, representing a recovery rate of 13.2%. 

The European Space Agency (ESA) has confirmed a cybersecurity breach involving servers located outside its corporate network. This confirmation comes following threat actor claim that they had compromised ESA systems and stolen a large volume of internal data. While ESA maintains that only unclassified information was affected. In an official statement shared on social media, the European Space Agency said it is aware of the cybersecurity issue and has already launched a forensic security investigation, which remains ongoing. According to ESA, preliminary findings indicate that only a very small number of external servers were impacted. “These servers support unclassified collaborative engineering activities within the scientific community,” ESA stated, emphasizing that the affected infrastructure does not belong to its internal corporate network. The agency added that containment measures have been implemented to secure potentially affected devices and that all relevant stakeholders have been informed. [caption id="attachment_108221" align="aligncenter" width="620"] Source: ESA Twitter Handle[/caption] ESA said it will provide further updates as additional details become available.

Threat Actor Claims Data Theft

The confirmation follows claims posted on BreachForums and DarkForums, where a hacker using the alias “888” alleges responsibility for the cybersecurity breach. According to the posts, the attack occurred on December 18, 2025, and resulted in the full exfiltration of internal ESA development assets. The threat actor claims to have stolen over 200 GB of data, including private Bitbucket repositories, source code, CI/CD pipelines, API tokens, access tokens, configuration files, Terraform files, SQL files, confidential documents, and hardcoded credentials. “I’ve been connecting to some of their services for about a week now and have stolen over 200GB of data, including dumping all their private Bitbucket repositories,” the actor wrote in one forum post. The stolen data is reportedly being offered as a one-time sale, with payment requested exclusively in Monero (XMR), a cryptocurrency commonly associated with underground cybercrime marketplaces. [caption id="attachment_108222" align="aligncenter" width="832"] Source: Data Breach Fourm[/caption] ESA has not verified the authenticity or scope of the claims made by the threat actor. So far, ESA has not disclosed which specific external servers were compromised or whether any credentials or development assets referenced by the threat actor were confirmed to be exposed. Founded 50 years ago and headquartered in Paris, the European Space Agency is an intergovernmental organization that coordinates space activities across 23 member states. Given ESA’s role in space exploration, satellite systems, and scientific research, cybersecurity incidents involving the agency carry heightened strategic and reputational significance.

Previous European Space Agency Cybersecurity Incidents 

This is not the first cybersecurity breach involving ESA in recent years. In December 2024, the agency’s official web shop was compromised after attackers injected malicious JavaScript code designed to steal customer information and payment card data during checkout. That incident raised concerns around third-party systems and external-facing infrastructure, an issue that appears relevant again in the current breach involving non-corporate servers.

What Happens Next

While ESA insists the compromised systems hosted only unclassified data, the ongoing forensic investigation will be critical in determining the true scope and impact of the breach. As threat actors continue to publish claims on hacking forums, the incident highlights the growing cybersecurity risks facing large scientific and governmental organizations that rely heavily on collaborative and distributed digital environments. ESA has said further updates will be shared once more information becomes available.

Trust Wallet users had $8.5 million in crypto assets stolen in a cyberattack linked to the second wave of the Shai-Hulud npm supply chain attack. In a lengthy analysis of the attack, Trust Wallet said attackers used the Shai-Hulud attack to access Trust Wallet’s browser extension source code and Chrome Web Store API key. “Using that access, they were able to prepare a tampered version of the extension with a backdoor designed to collect users’ sensitive wallet data [and] releasing the malicious version to the Chrome Web Store using the leaked (CWS) API key,” the crypto wallet company said. So far Trust Wallet has identified 2,520 wallet addresses affected by the incident and drained by the attackers, totaling approximately $8.5 million in assets. The company said it “has decided to voluntarily reimburse the affected users.” News of the successful attack comes amid reports that threat actors are actively preparing for a third wave of Shai-Hulud attacks.

Trust Wallet Shai-Hulud Attack Detailed

Trust Wallet said “an unauthorized and malicious version” of its Browser Extension (version 2.68) was published to the Chrome Web Store on December 24, “outside of our standard release process (without mandatory review). This version contained malicious code that, when loaded, allowed the attacker to access sensitive wallet data and execute transactions without authorization.” The $8.5 million in assets were associated with 17 wallet addresses controlled by the attacker, but Trust Wallet said the attacker addresses “also drained wallet addresses NOT associated with Trust Wallet and this incident. We are actively tracking other wallet addresses that may have been impacted and will release updated numbers once we have confirmation.” The incident affects only Trust Wallet Browser Extension version 2.68 users who opened the extension and logged in during the affected period of December 24-26. It does not affect mobile app users, users of other Browser Extension versions, or Browser Extension v2.68 users who opened and logged in after December 26 at 11:00 UTC. “If you have received an app push via the Trust Wallet mobile app or you see a security incident banner on your Trust Wallet Browser Extension, you may still be using the compromised wallets,” the company said. Browser Extension v2.68 users who logged into their wallets during the affected period were advised to transfer their funds from any at-risk wallets to a newly created wallet following the company’s instructions and to submit reimbursement claims at https://be-support.trustwallet.com.

White Hat Researchers Limited Damage with DDoS Attacks

The dramatic Trust Wallet attack was met by an equally dramatic response from white hat security researchers, who launched DDoS attacks on the attacker to limit damage, as detailed in the company’s update. Trust Wallet’s Developer GitHub secrets were exposed in the November second-wave attack, which gave the attacker access to the browser extension source code and the API key, allowing builds to be uploaded directly without Trust Wallet's internal approval and manual review. The attacker registered the domain metrics-trustwallet.com “with the intention of hosting malicious code and embedding a reference to that code in their malicious deployment of the Trust Wallet Browser Extension,” the company said. The attacker prepared and uploaded a tampered version of the browser extension using the codebase of an earlier version that they had accessed through the exposed developer GitHub secrets. The attacker published version 2.68 on the Chrome Web Store for review using the leaked CWS key, “and the malicious version was released automatically upon passing Chrome Web Store review approval,” Trust Wallet said. On December 25, the first wallet-draining activity was publicly reported, when 0xAkinator and ZachXBT flagged the issues and identified the attacker's wallet addresses, and partner Hashdit and internal systems “notified us with multiple suspicious alerts.” “White-hat researchers initiated DDoS attacks in an attempt to temporarily disable the attacker's malicious domain, api.metrics-trustwallet.com, helping to minimize further victims,” Trust Wallet said. The company rolled back to a verified clean version (2.67, released as 2.69) and issued urgent upgrade instructions.

Victims of the CL0P ransomware group’s August campaign targeting Oracle E-Business Suite vulnerabilities are still coping with the aftermath of the cyberattacks, as Korean Air and the University of Phoenix have become the latest to reveal details of the breach. The University of Phoenix reported earlier this month in an SEC filing that it was among the Oracle EBS victims, after the company was named as a victim by CL0P on the threat group’s dark web data leak site. In a new filing with the Maine Attorney General’s office, the University of Phoenix revealed the extent of the breach – nearly 3.5 million people may have had their personal data compromised, including names, dates of birth, Social Security numbers, and bank account and routing numbers. The sample notification letter provided by the university offered victims complimentary identity protection services. including a year of credit monitoring, dark web monitoring, a $1 million identity fraud loss reimbursement policy, and identity theft recovery services. Oracle EBS victims continue to grapple with the aftermath of the attacks even as CL0P has reportedly moved on to a new extortion campaign targeting internet-facing Gladinet CentreStack file servers.

Korean Air Among Oracle EBS Victims

Korean Air also reported a cyberattack that appears linked to the Oracle EBS campaign. According to news reports, KC&D Service – the former in-flight catering subsidiary of the airline that’s now owned by a private equity firm – informed Korean Air of a leak that involved personal data belonging to the airline’s employees. The compromised data involved 30,000 records and included names and bank account numbers. The breach was revealed in an “internal notice,” according to the reports. The airline said no customer data appears to have been compromised by the breach. According to Korea JoongAng Daily, Woo Kee-hong, vice chairman of Korean Air, said in a message to employees, “Korean Air takes this incident very seriously, especially since it involves employee data, even if it originated from a third-party vendor that was sold off. We are currently focusing all our efforts on identifying the full scope of the breach and who was affected.” While the reports didn’t specifically mention the Oracle EBS campaign, “Korean Air Catering” was one of more than 100 victims listed by CL0P on its data leak site. Other confirmed victims in the Oracle campaign have included The Washington Post, Harvard University, Dartmouth College, the University of Pennsylvania, American Airlines’ Envoy Air, Logitech, Cox, Mazda, Canon, and Hitachi’s GlobalLogic.

CL0P’s File Services Exploits

CL0P’s ability to exploit file sharing and transfer services at scale has made it a top five ransomware group over its six-year history, with more than 1,000 known victims to date, according to Cyble threat intelligence data. Other CL0P campaigns have targeted Cleo MFT, MOVEit, CrushFTP, SolarWinds Serv-U, PaperCut, and GoAnywhere, among others. CL0P’s exploitation of Cleo MFT vulnerabilities led to a record number of ransomware attacks earlier this year, and CL0P has also successfully exploited Accellion FTA vulnerabilities. Some reports have linked the Oracle EBS campaign to the FIN11 threat group, with CL0P acting as the public face of the campaign.

France’s data protection authority, the CNIL, has imposed a €1.7 million GDPR fine on software company NEXPUBLICA FRANCE for failing to implement adequate cybersecurity measures. The penalty was announced on 22 December 2025 following an investigation into a data breach linked to the company’s PCRM software, widely used in the social services sector. The regulator said the GDPR fine reflects serious shortcomings in how the company protected sensitive personal data, despite being aware of long-standing security weaknesses before the breach occurred.

Data Breach Exposed Third-Party Documents

The case dates back to November 2022, when users of a Nexpublica online portal reported that they could access documents belonging to other individuals. These documents included personal files that should have been strictly restricted, raising immediate concerns about data security and access controls. Customers of NEXPUBLICA notified the CNIL after discovering that users could view third-party information through the portal. Given the nature of the data involved, the incident posed a high risk to individuals’ privacy and rights, prompting a formal investigation by the regulator.

PCRM Software Used in Sensitive Social Services

NEXPUBLICA FRANCE, formerly known as INETUM SOFTWARE FRANCE, specializes in designing IT systems and software. One of its core products, PCRM, is a user relationship management tool used in social action services. It is notably deployed by Departmental Houses for the Disabled (MDPH) in several French departments. Because PCRM processes highly sensitive personal data, including information that can reveal a person’s disability, the CNIL stressed that a high level of security was required. The GDPR fine reflects the sensitivity of the data exposed and the potential harm caused to affected individuals.

CNIL Finds Serious Security Failures

Following its investigation, the CNIL concluded that the technical and organisational measures implemented to secure PCRM were insufficient. The regulator identified a general weakness in Nexpublica’s information system, along with structural vulnerabilities that had been allowed to persist over time. According to the CNIL, many of these vulnerabilities stemmed from a lack of knowledge of basic cybersecurity principles and current best practices. Several security flaws had already been identified in internal and external audit reports prior to the breach. Despite this, the company failed to correct the issues until after the data breaches were reported. This delay played a key role in the decision to impose the GDPR fine.

Violation of Article 32 of the GDPR

The CNIL ruled that Nexpublica violated Article 32 of the GDPR, which requires organisations to implement security measures appropriate to the level of risk. This includes considering the state of the art, implementation costs, and the risks posed to individuals’ rights and freedoms. The restricted committee, the CNIL body responsible for sanctions, found that Nexpublica did not meet these requirements. The situation was considered more serious because the company operates as an IT systems and software specialist and should have been fully aware of its security obligations.

Why the GDPR Fine Was €1.7 Million

In setting the amount of the GDPR fine, the CNIL considered several factors. These included Nexpublica’s financial capacity, the number of people potentially affected, and the sensitive nature of the data processed through PCRM. The regulator also took into account that the security issues were known internally before the breach and were only addressed afterward. While Nexpublica has since implemented corrective measures, the CNIL said this did not outweigh the severity of the earlier failings. As the necessary fixes have now been applied, the CNIL did not issue a separate compliance order. However, the GDPR fine serves as a clear warning to software providers handling sensitive public-sector data: known security weaknesses must be addressed before, not after, a breach occurs.

The former employee behind the recent Coupang data breach tried to cover his tracks by smashing his MacBook Air and throwing it into a river, the company revealed in a recent update on the incident. The alleged perpetrator panicked when news outlets reported on the Coupang breach, the December 25 update said. “Among other things, the perpetrator stated that he physically smashed his MacBook Air laptop, placed it in a canvas Coupang bag, loaded the bag with bricks, and threw the bag into a nearby river,” the update said. Using maps and descriptions from the former employee, divers were able to recover the laptop from the river. “It was exactly as the perpetrator claimed—in a canvas Coupang bag loaded with bricks—and its serial number matched the serial number in the perpetrator’s iCloud account,” Coupang said. Coupang has since updated the post twice, once to reassure customers that the company was cooperating fully with the government in its investigation, and the second time to announce a “customer compensation plan to restore customer trust” with vouchers worth about USD $35 (50,000 won) per customer.

Coupang Breach Smaller than Feared

Much of the update sought to reassure customers of the Korean online retailer that the breach was smaller than initially feared. While initial reports said the breach – which led to the CEO’s resignation – might have compromised the data of more than 33 million, Coupang said its investigation indicates that while the perpetrator may have accessed 33 million accounts, he “retained limited user data from only 3,000 accounts and subsequently deleted the user data.” The user data included 2,609 building entrance codes, but no payment, log-in data or individual customs numbers were accessed, and the perpetrator never transferred any of the data to third parties, the company said. Coupang said it conducted its investigation with Mandiant, Palo Alto Networks and Ernst & Young.

Perpetrator ‘Confessed Everything’

Coupang said it used “digital fingerprints” and other forensic evidence to identify the former employee allegedly responsible for the breach. “The perpetrator confessed everything and revealed precise details about how he accessed user data,” the company said. The former employee used “an internal security key that he took while still working at the company” to access “basic user data” from more than 33 million customer accounts. He retained user data (name, email, phone number, address and partial order histories) from about 3,000 accounts, plus 2,609 building entrance access codes. The Coupang statement notes repeatedly that the alleged perpetrator’s story is supported by the available forensic evidence, likely to reassure customers that the breach wasn’t as bad as initially feared. The statement frequently uses phrases such as “exactly as the perpetrator described” to underscore that the forensic evidence supports the former employee’s claims. “The investigative findings to date are consistent with the perpetrator’s sworn statements and found no evidence that contradicts these statements,” the company says in another section. “The perpetrator stated that he used a personal desktop PC and a MacBook Air laptop to provision access and to store a limited amount of user data,” the Coupang statement said. “Independent forensic investigation confirmed that Coupang systems were accessed using one PC system and one Apple system as the primary hardware interfaces, exactly as the perpetrator described.” The perpetrator also turned over the PC system and four hard drives from the system, “on which analysts found the script used to carry out the attack,” the company said.

The Shinhan Card data breach has exposed the personal information of approximately 192,000 card merchants, the South Korea–based financial services company confirmed on Tuesday. The incident, which involved the unauthorized disclosure of phone numbers and limited personal details, has been reported to the country’s Personal Information Protection Commission (PIPC). According to Shinhan Card, the breach affected self-employed individuals who operate franchised merchant locations and had shared personal details as part of standard merchant agreements. The company said there is currently no evidence that sensitive financial information, such as credit card numbers, bank account details, or national identification numbers, was compromised.

Employee Misconduct Identified as Cause of Shinhan Card Data Breach

In a statement, Shinhan Card clarified that the Shinhan Card data breach was not the result of an external cyberattack. Instead, the company suspects internal misconduct, with an employee at a sales branch allegedly transmitting merchant data to a card recruiter for sales-related purposes. “This was not due to external hacking but an employee’s misconduct,” a Shinhan Card official said, adding that the internal process involved has since been blocked. The company launched an internal investigation immediately after becoming aware of the incident and has taken steps to prevent similar actions in the future.

Scope of Personal Information Leak

The leaked data primarily involved mobile phone numbers, which accounted for roughly 180,000 cases. In about 8,000 instances, phone numbers were leaked alongside names. A smaller subset of records also included additional details such as birthdates and gender. Shinhan Card stated that its investigation has not identified cases where citizen registration numbers, card numbers, account details, or credit information were exposed. At this stage, the company has also said that no confirmed cases of misuse of the leaked information have been reported. The personal information leak affected merchants who signed contracts with Shinhan Card between March 2022 and May 2025, according to findings shared with regulators.

Shinhan Card Data Breach Timeline and Regulatory Notification

The breach came to light last month following a report submitted to the Personal Information Protection Commission, South Korea’s data protection authority. After receiving the notification, the PIPC requested supporting materials from Shinhan Card to assess the scope and cause of the incident. Following its internal review, Shinhan Card formally reported the data breach to the PIPC on December 23, complying with regulatory disclosure requirements. The company has continued to cooperate with authorities as the review process continues.

Company Response and Merchant Support Measures

In response to the Shinhan Card data breach, the company published an apology and detailed guidance on its website and mobile application. It also launched a dedicated page allowing affected merchants to check whether their personal data was compromised. “We will make every effort to protect our customers and prevent similar incidents from recurring,” a Shinhan Card spokesperson said. The company has emphasized that it is strengthening internal controls and reviewing access permissions related to merchant data. Shinhan Card also urged merchants to remain vigilant for potential phishing or unsolicited contact attempts, even though no additional harm linked to the leaked data has been confirmed so far.

Broader Implications for Financial Data Protection

The Shinhan Card data breach incident highlights ongoing challenges around data governance and insider risk within financial institutions, even as companies continue to invest heavily in cybersecurity defenses against external threats. While many breaches globally involve hacking or ransomware, incidents stemming from employee misconduct remain a persistent concern for banks and payment providers. Authorities have not yet announced whether penalties or corrective actions will follow the investigation. For now, Shinhan Card maintains that it is focused on customer protection and restoring trust following the incident.

Chinese short-video platform Kuaishou Technology saw its shares fall sharply after the company confirmed a cyberattack that briefly disrupted its livestreaming services, exposed users to inappropriate content, and rattled investor confidence. The Kuaishou cyberattack, which occurred late on Monday night, triggered the stock’s steepest single-day decline in more than two months and pushed it to its lowest level since late November.  Shares of Hong Kong-listed Kuaishou Technology (HK:1024) fell by as much as 6% on Tuesday, dropping to HK$62.70 (approximately $8.06). This marked the company’s lowest share price since November 21 and represented its largest one-day percentage decline since October 14. The stock also emerged as the biggest decliner on the Hang Seng Tech Index, which itself fell about 0.5% on the day.  Market reaction followed confirmation of a cyberattack on Kuaishou that disrupted its livestreaming function. As one of China’s largest short-video platforms and a close competitor to Douyin, the Chinese version of TikTok, Kuaishou’s performance is closely watched by investors. The sudden service disruption and reports of exposed content raised concerns about platform security and operational resilience. 

Kuaishou Cyberattack Timeline

According to a company announcement issued on December 23, 2025, the Kuaishou cyberattack occurred at around 10:00 p.m. local time (14:00 GMT) on December 22, 2025. Cyberthreat actors targeted the live-streaming function of the Kuaishou app, temporarily interrupting services and exposing users to content described by some users as explicit and violent. Several reports characterized the incident as “unprecedented” for the platform.  Kuaishou stated that it activated its emergency response plan immediately after detecting the cyberattack on Kuaishou. Following system repairs and restoration efforts, livestreaming services gradually resumed normal operations. The company noted that other services on the Kuaishou app were not affected by the incident, although some livestreaming functions continued to experience limited disruption during the recovery phase. 

Company Response and Legal Actions 

In its press release, Kuaishou Technology said it had reported the incident to the police and relevant authorities and was pursuing further legal remedies. The company stated that it strongly condemns illegal and criminal activities linked to underground and gray industries and reiterated its opposition to any form of unlawful or harmful content.  Kuaishou also said it remains committed to operating in compliance with applicable laws and regulations and to safeguarding the interests of the company and its shareholders. While livestreaming services have largely returned to normal, the cyberattack on Kuaishou highlighted the operational and reputational risks associated with large-scale social and live-commerce platforms. 

Broader Security Concerns and Prior Data Leak Claims 

The recent cyberattack on Kuaishou has drawn renewed attention to earlier cybersecurity allegations involving the platform. In September, a threat actor on a known cybercrime forum claimed to have leaked order data allegedly stolen from Kuaishou. According to that claim, an attacker compromised a live broadcast room and used the access to place around 10,000 fraudulent orders for non-refundable virtual goods.  The data allegedly leaked included usernames, phone numbers, addresses, and order details of affected users. If accurate, the incident would represent a multi-layered security breach involving unauthorized access, financial fraud, and the exposure of personally identifiable information.  

Implications for Platform Security 

The December livestreaming Kuaishou cyberattack shows how attacks on social video and live-commerce platforms can quickly extend beyond service disruption to include content abuse, fraud, and potential data exposure, with immediate financial and regulatory impact.   As Kuaishou works to restore stability and address security gaps, the incident stresses the need for early threat detection, rapid investigation, and continuous monitoring of underground activity. Cyble supports this need through AI-powered threat intelligence that tracks dark web and cybercrime signals, correlates indicators of compromise, and enables faster response. Security teams can assess their exposure and book a personalized demo to better anticipate and mitigate similar attacks. 

The University of Sydney has confirmed a major cybersecurity incident that resulted in the exposure of personal information belonging to thousands of current and former staff members, as well as smaller groups of students, alumni, and supporters. The University of Sydney cyberattack was formally disclosed to the university community on December 18, 2025, after the institution detected unauthorized access to an internal online IT code library.  University officials said the suspicious activity was identified last week during monitoring of the platform, which is primarily used for software development and code storage. While the system was never intended to house personal records, investigators found that historical data files had been stored within the library, largely for testing purposes. These files were accessed and downloaded by an unauthorized party before the university intervened.  Upon discovering the University of Sydney cyberattack, the university immediately blocked unauthorized access and secured the affected environment. Officials also clarified that the cyberattack on University of Sydney was unrelated to a separate incident involving student results reported earlier. 

Decoding the University of Sydney Cyberattack

According to the university’s investigation to date, the data breach at the University of Sydney affected a wide range of individuals. The compromised files included a historical dataset from a retired system containing personal information about staff employed at the university as of September 4, 2018. Exposed details included names, dates of birth, phone numbers, home addresses, and basic employment information such as job titles and dates of employment.  In total, personal information belonging to around 10,000 current staff and affiliates and approximately 12,500 former staff and affiliates from that period was accessed. In addition, a collection of historical datasets, primarily from 2010 to 2019, contained personal information relating to about 5,000 students and alumni, along with data belonging to six supporters.  Vice President for Operations Nicole Gower addressed staff in a written message confirming the scope of the University of Sydney cyberattack and offering an apology. “We understand this news may cause concern, and we sincerely apologise for any distress this may cause,” Gower wrote. “While the data has been accessed and downloaded, there is currently no evidence that it has been used or published.” 

Investigation, Notifications, and Official Response

The University of Sydney has reported the incident to multiple government authorities, including the NSW Privacy Commissioner, the Australian Cyber Security Centre, the Tertiary Education Quality and Standards Agency, the National Student Ombudsman, and ID Support NSW. The university is also working with external cybersecurity partners to assess whether any of the accessed data has been disclosed online.  At this stage, the university believes the unauthorized access was confined to a single platform and did not compromise other university systems. However, the investigation remains ongoing and is expected to continue into the new year due to its complexity.  Notifications to affected individuals began on December 18, 2025. The university expects to complete this process by January 2026, once file reviews are finalized, and contact details for all impacted individuals are confirmed. Updates and responses to frequently asked questions are being published on the university’s website as the situation evolves. 

Support Services and Advice for Affected Individuals

In response to the University of Sydney data breach, a range of support services has been made available to staff, students, alumni, and affiliates. A dedicated cyber incident support service has been established to handle inquiries and will remain operational during the university’s closedown period from December 20, 2025, to January 5, 2026, excluding public holidays.  Staff members have access to counseling and wellbeing services through Converge International, while students can seek free and confidential support through Student Wellbeing services, which are available 24/7. Additional assistance is available through external organizations such as ID Support NSW, IDCARE, Beyond Blue, and Lifeline.  The university has also issued guidance urging affected individuals to remain vigilant by monitoring accounts for unusual activity, changing passwords, enabling multi-factor authentication, and being cautious of phishing attempts. Officials advised sharing details of the incident on social media to reduce the risk of scams.  University leadership reiterated that cybersecurity remains a priority and noted that an extensive program to strengthen data management practices has been underway for the past three years. Further updates will be provided as the investigation into the cyberattack on University of Sydney progresses and additional findings become available. 

Japanese office and household goods supplier Askul Corporation has begun restoring core logistics operations following a prolonged disruption caused by a ransomware incident. The Askul cyberattack, first detected on October 19, 2025, led to system outages, operational paralysis, and the confirmed exposure of sensitive personal and business data. After nearly two months of recovery work, Askul announced that system-based shipment operations had resumed, starting with two logistics centers located in Tokyo and neighboring Saitama Prefecture. The company said that eight additional distribution hubs will be brought back online gradually as safety assessments are completed. Speaking to reporters at a logistics center in Tokyo’s Edogawa Ward, President and CEO Akira Yoshioka issued a formal apology. “I sincerely apologize for the trouble and concern caused to many customers,” Yoshioka said. He added that the company was committed to pursuing “a full-fledged security governance reform” in response to the incident.

Disruption to Operations and Gradual Recovery 

The Askul cyberattack forced the company to suspend nearly all online services shortly after detection. Order intake and shipping operations across its ASKUL, Soloel Arena, and LOHACO platforms were halted on the afternoon of October 19, following confirmation that ransomware had encrypted internal systems. During the initial recovery phase, Askul accepted only limited orders via fax, restricting shipments to a small selection of essential items.  As system restoration progressed, the company gradually expanded order acceptance, prioritizing high-demand products such as copier paper. However, Yoshioka declined to provide a timeline for full restoration of logistics operations, stating that remaining hubs would reopen incrementally based on ongoing safety evaluations. 

Confirmation of Large-Scale Data Theft 

Beyond operational disruption, the Askul data breach revealed a loss of sensitive information. Askul confirmed that approximately 740,000 records were stolen during the ransomware incident, which has been linked to the RansomHouse extortion group.  According to Askul’s disclosures, the compromised data includes approximately 590,000 business customer service records and roughly 132,000 individual customer records. In addition, information related to around 15,000 business partners, such as agents, contractors, and suppliers, was affected, along with data belonging to about 2,700 executives and employees, including those at group companies.  Askul stated that detailed breakdowns of the exposed information were withheld to prevent secondary misuse. Affected customers and partners are being notified individually, and the company has reported the data breach at Askul to Japan’s Personal Information Protection Commission. Long-term monitoring measures have also been implemented to detect potential misuse of stolen data.  Importantly, Askul clarified that it does not store customer credit card information for LOHACO transactions, as payment processing is handled through an external system designed to prevent the company from accessing such data. 

Attack Timeline and RansomHouse Involvement 

The RansomHouse group publicly claimed responsibility for the Askul cyberattack, first disclosing the breach on October 30. Additional data leaks followed on November 10 and December 2. Askul confirmed that all published data was reviewed and analyzed by October 31, November 11, and December 9, respectively. A dedicated inquiry desk for affected individuals was established on November 4.  In its 13th official update, released on December 12, Askul provided a detailed chronology of the incident. After detecting ransomware activity on October 19, the company immediately isolated suspected infected systems, disconnected networks, strengthened monitoring, and initiated a company-wide password reset. By 2:00 p.m. that day, a formal incident response headquarters and specialized recovery teams were established.  External cybersecurity experts were engaged on October 20 to conduct forensic investigations, including log analysis and impact assessments. Despite these efforts, unauthorized access to an external cloud-based inquiry management system was identified on October 22. Password resets for major cloud services were completed by October 23, after which no further intrusions were confirmed. 

Technical Findings and Root Cause Analysis 

Askul’s investigation concluded that attackers likely gained initial access using stolen authentication credentials tied to an outsourced partner’s administrative account that lacked multi-factor authentication. After entering the internal network, the attackers conducted reconnaissance, collected additional credentials, disabled endpoint detection and response (EDR) tools, and moved laterally across servers.  Notably, Askul confirmed that multiple ransomware variants were deployed, including strains that evaded EDR signatures available at the time. Once sufficient privileges were obtained, attackers simultaneously encrypted data across logistics and internal systems, including backup files. This delayed recovery efforts.  The attack had a severe impact on Askul’s logistics infrastructure, which relies heavily on automated warehouses, picking systems, and integrated logistics platforms. When these systems were disabled, outbound shipments were completely halted.  Investigators also confirmed unauthorized access to an external cloud-based inquiry management system, from which data was exfiltrated and later published. Askul stated that no evidence of compromise was found in its core business systems or customer-facing platforms. 

Security Reforms and Governance Changes 

In response to the data breach at Askul, the company initiated sweeping security reforms aligned with the U.S. National Institute of Standards and Technology (NIST) Cybersecurity Framework. Enhancements include mandatory MFA for all remote access, strengthened log analysis, expanded 24/7 security monitoring, and improved asset integrity checks.  Askul has also committed to rebuilding its security governance framework by the end of the fiscal year in May 2026, focusing on enterprise risk management, clearer accountability, and stronger oversight.  The company noted that it has not contacted the attackers, negotiated, or paid any ransom, citing its responsibility to avoid encouraging criminal activity. It continues to cooperate with law enforcement, regulatory authorities, and information-sharing organizations such as JPCERT/CC. 

French authorities have arrested a 22-year-old man in connection with a French Interior Ministry cyberattack, marking an important development in an investigation into the breach of the ministry’s internal email systems. The arrest was carried out on December 17, 2025, following an inquiry led by the cybercrime unit of the Paris prosecutor’s office. According to a notice issued by France’s Ministry of the Interior, the suspect was taken into custody on charges including unauthorized access to a state-run automated personal data processing system. The offense carries a maximum sentence of up to 10 years in prison. "A person was arrested on December 17, 2025, as part of an investigation opened by the cybercrime unit of the Paris prosecutor's office, on charges including unauthorized access to a state-run automated personal data processing system, following the cyberattack against the Ministry of the Interior," the press release, translated into English, said. The ministry confirmed that the individual, born in 2003, is already known to the justice system and was convicted earlier in 2025 for similar cyber-related offenses. Authorities have not disclosed the suspect’s identity. "The suspect, born in 2003, is already known to the justice system, having been convicted of similar offenses in 2025," release added further. [caption id="attachment_107868" align="aligncenter" width="923"] Source: French Interior Ministry[/caption]

Investigation Into Cyberattack on France’s Ministry of the Interior 

The French Interior Ministry cyberattack was first publicly acknowledged last week, after officials revealed that the ministry’s internal email servers had been compromised. The cyberattack was detected overnight between Thursday, December 11, and Friday, December 12, and resulted in unauthorized access to a number of document files. French Interior Minister Laurent Nuñez described the incident as more serious than initially believed. Speaking to Franceinfo radio, he said, "It's serious. A few days ago, I said that we didn't know whether there had been any compromises or not. Now we know that there have been compromises, but we don't know the extent of them." Authorities later confirmed that the compromised files included criminal records, raising concerns about the sensitivity of the exposed information. However, Nuñez urged caution when assessing the scale of the breach. I can tell you that there have not been millions of pieces of data extracted as of this morning (...), but I remain very cautious about the level of compromise," he added.

Legal Action Aganist French Interior Ministry cyberattack

In a statement issued by Public Prosecutor Laure Beccuau, officials said the suspect of French Interior Ministry cyberattack was arrested as part of an investigation into unauthorized access to an automated data processing system, allegedly carried out as part of an organized group. Prosecutors reiterated that this offense is punishable by up to 10 years’ imprisonment. The investigation is being conducted by OFAC, France’s Office for Combating Cybercrime. Authorities noted that a further statement will be released once the police custody period ends, which can last up to 48 hours. French prosecutors also confirmed that while the suspect has prior convictions for similar crimes in 2025, they are not disclosing further details about those cases.

Government Response and Security Measures

Following the French Interior Ministry cyberattack, the Ministry of the Interior implemented standard security protocols and strengthened access controls across its systems. Speaking on RTL Radio, Minister Nuñez confirmed the attack and the immediate response, "There was indeed a cyberattack. An attacker was able to access a number of files. So we implemented the usual protection procedures." He further stated that investigations into French Interior Ministry cyberattack are ongoing at both judicial and administrative levels, and that France’s data protection authority, the National Commission for Information Technology and Civil Liberties (CNIL), has been notified. On RTL Matin, Nuñez emphasized that the origin of the French Interior Ministry cyberattack remains unclear, "It could be foreign interference, it could be people wanting to challenge the authorities and demonstrate their ability to access systems, and it could also be cybercrime. Right now, we don't know what it is."

Claims of Responsibility Surface Online

Following public disclosure of the French Interior Ministry cyberattack incident, a post appeared on an underground forum claiming responsibility for the breach. The post stated, "We hereby announce that, in revenge for our arrested friends, we have successfully compromised 'MININT' — the French Ministry of the Interior." The message appeared to reference the 2025 arrests of five BreachForums moderators and administrators, known online as “ShinyHunters,” “Hollow,” “Noct,” “Depressed,” and “IntelBroker.” However, authorities have not confirmed any direct link between the arrested suspect and these claims. As the investigation into the French Interior Ministry cyberattack continues, French officials have stressed that all possibilities remain under consideration and that further updates will follow once the custody period concludes.

A recent report by British technology research firm Rethink Technology Research has raised serious concerns over a cyberattack on KT, South Korea’s leading telecom operator, suggesting the incident may involve state-level cyber espionage rather than a simple fraud case. The report, titled “KT Cyberattack: More Serious Than You Think,” was published on December 10 and analyzes the implications of the breach in detail.  According to Rethink Technology Research, the KT cyberattack appears to have targeted femtocells, small cellular base stations used in homes and offices, not for micro-payment fraud, but potentially to collect large-scale data at a national level. The report states, “The cyberattack on South Korean telecom company KT is not a simple fraud case but closer to a state-level cyber espionage activity spanning several years when examining the details.”  The report further notes that KT’s internal logs only date back to August 2024, making it difficult to confirm what occurred at vulnerable points before that period. Analysts suggest that this lack of historical data complicates the investigation and points to possible systemic failures in femtocell management, server oversight, and encryption protocols. “It seems inevitable that KT's leadership will face accountability for management negligence,” the report adds. 

Security Experts Weigh In

Security experts in South Korea have weighed in on the report’s findings. Dmitry Kurbatov, Chief Technology Officer at global communication security company SecurityGen, posted on LinkedIn that “the unauthorized micro-payment incident at KT is likely a deeper issue involving a network of thousands of femtocells.” Similarly, Kim Yong-dae, a professor in the Department of Electrical and Electronic Engineering at KAIST, described the incident as essentially a wiretapping operation rather than conventional financial fraud.  While Rethink Technology Research frames the attack as unprecedented in scope and sophistication, KT officials have pushed back against the report’s conclusions. A company spokesperson stated, “If you look at other reports by the author of this report, there is a tendency to be favorable and biased toward certain companies. It is difficult to regard this as an objective interpretation.” 

The KT Cyberattack Investigation Timeline

The cyberattack on KT was first detected in early September, when irregular micro-payments were identified across the network. A joint government-private investigation has been ongoing for over three months, with authorities yet to release the final findings. Analysts attribute the delay to stretched investigative resources due to a series of large-scale cyber incidents in South Korea, including the Coupang data leak. Some have also speculated that the prolonged timeline may indicate an intentional delay on KT’s part.  For comparison, the SK Telecom hacking case was resolved within two and a half months, followed by compensation announcements for affected users. In the case of KT, an investigation team official noted during a briefing following the presidential business report on December 12, “While investigating KT, additional issues have emerged, and server forensics are taking a considerable amount of time.”  Industry observers warn that the cyberattack on KT should serve as a cautionary tale for telecom operators not only in South Korea but globally. 

Two recent cybersecurity incidents involving financial services providers have exposed the personal information of millions of individuals, highlighting ongoing risks across the fintech and credit reporting ecosystem. The larger of the two incidents involves Prosper Marketplace cybersecurity incident, confirmed last week by the San Francisco-based fintech company. Prosper disclosed that 13.1 million people were affected after unauthorized activity was discovered on its systems on September 1, 2025. A subsequent investigation revealed that attackers accessed data between June and August 2025.

Prosper Marketplace Cybersecurity Incident Details

In its official notice, Prosper stated, "On September 1, 2025, Prosper discovered unauthorized activity on our systems. We acted quickly to stop the activity and enhance our security measures, and we began working with a leading cybersecurity firm to investigate what happened." While Prosper emphasized that there was no evidence of unauthorized access to customer accounts or funds, attackers were able to obtain a wide range of sensitive personal and financial data. The exposed information includes names, Social Security numbers, national ID numbers, dates of birth, bank account numbers, Prosper account numbers, financial application details, driver’s license numbers, passports, tax information, and payment card numbers. Regulatory filings show the scale of the exposure across states, with more than 1.1 million affected individuals in Texas, 236,000 in South Carolina, and 249,000 in Washington state. Prosper said it has begun notifying affected individuals and is offering two years of credit monitoring and identity restoration services through Experian. The company also confirmed that law enforcement was notified about cybersecurity incidents, and additional security and monitoring controls have been deployed. Founded in 2005, Prosper is best known for its peer-to-peer lending platform, through which more than 2 million customers have borrowed over $28 billion in personal loans. The company also offers home equity loans, lines of credit, and credit card products.

700Credit Security Incident Impacts Over 5.8 Million People

In a separate cybersecurity incident, Michigan-based 700Credit data exposure affected 5,836,521 individuals, according to a notice issued on Friday. The incident was discovered on October 25, 2025, when the company’s IT team identified unauthorized access to its systems. 700Credit provides credit reports, compliance solutions, identity verification, and fraud detection services to car dealerships across the U.S. The company said attackers made copies of data stored within its systems. The compromised information includes names, Social Security numbers, dates of birth, and physical addresses. Following the incident, 700Credit confirmed it will file a consolidated breach notice with the FTC on behalf of its affected dealership clients, after receiving approval from the agency. “We timely notified the FBI and the FTC and confirmed with the FTC that 700Credit’s filing on behalf of all dealers is sufficient to meet dealer obligations to notify the FTC.  In addition, we will be notifying State AG offices on behalf of dealers.  Impacted consumers will also be notified and offered credit monitoring services and assistance they may need. 700Credit has also been working directly with NADA,” the company said in a notice. As a result, dealers are not required to file separate FTC breach notifications related to this incident. However, dealers are still responsible for complying with state-level breach notification requirements, which remain unaffected by the FTC’s decision. Dealers have been advised to consult legal counsel to ensure compliance with applicable state laws.

Financial Services Sector Faces Rising Cybersecurity Incidents

The Prosper and 700Credit incidents come just weeks after a cyberattack on SitusAMC, a company used by major banks for real estate loan and mortgage services. That incident, discovered on November 12, 2025, involved stolen accounting records and legal agreements. Together, these cybersecurity incidents emphasise a growing trend: financial services providers and fintech companies are increasingly targeted for the volume and sensitivity of data they hold. While no threat actor has publicly claimed responsibility for either the Prosper Marketplace or 700Credit incidents, the scale of exposure raises concerns about identity theft, financial fraud, and long-term consumer risk. Both companies have urged affected individuals to remain vigilant, monitor their credit reports, and report any suspicious activity.

SoundCloud has confirmed a cyberattack on its platform after days of user complaints about service disruptions and connectivity problems. In what is being reported as a SoundCloud cyberattack, threat actors gained unauthorized access to one of its systems and exfiltrated a limited set of user data. “SoundCloud recently detected unauthorized activity in an ancillary service dashboard,” the company said. “Upon making this discovery, we immediately activated our incident response protocols and promptly contained the activity.”  Reports of trouble began circulating over several days, with users reporting that they were unable to connect to SoundCloud or experiencing access issues when using VPNs. After the disruptions persisted, the company issued a public statement on its website acknowledging the SoundCloud cyberattack incident. 

DoS Follows Initial SoundCloud Cyberattack

According to the music hosting service provider, the SoundCloud cyberattack was followed by a wave of denial-of-service attacks that further disrupted access to the platform. The company said it experienced multiple DoS incidents after the breach was contained, two of which were severe enough to take the website offline and prevent users from accessing the service altogether.  SoundCloud stated that it was ultimately able to repel the attacks, but the interruptions were enough to draw widespread attention from users and the broader technology community. These events highlighted the cascading impact of a cyberattack on SoundCloud, where an initial security compromise was compounded by availability-focused attacks designed to overwhelm the platform. 

Scope of Exposed Data and User Impact 

While the SoundCloud cyberattack raised immediate concerns about user privacy, the company stresses that the exposed data was limited. SoundCloud said its investigation found no evidence that sensitive information had been accessed.  “We understand that a purported threat actor group accessed certain limited data that we hold,” the company said. “We have completed an investigation into the data that was impacted, and no sensitive data (such as financial or password data) has been accessed.”  Instead, the data involved consisted of email addresses and information already visible on public SoundCloud profiles. According to the company, approximately 20 percent of SoundCloud users were affected by the breach.   Although SoundCloud described the data as non-sensitive, the scale of the exposure is notable. Email addresses can still be leveraged in phishing campaigns or social engineering attacks, even when other personal details remain secure.  SoundCloud added that it is confident the attackers’ access has been fully shut down. “We are confident that any access to SoundCloud data has been curtailed,” the company said. 

Security Response and Ongoing Connectivity Issues 

The company did not attribute the SoundCloud cyberattack to a specific hacking group but confirmed that it is working with third-party cybersecurity experts and has fully engaged its incident response protocols. As part of its remediation efforts, the company said it has enhanced monitoring and threat detection, reviewed and reinforced identity and access controls, and conducted a comprehensive audit of related systems.  Some of these security upgrades had unintended consequences. SoundCloud acknowledged that changes made to strengthen its defenses contributed to the VPN connectivity issues reported by users in recent days.  “We are actively working to resolve these VPN related access issues,” the company said. 

PornHub is facing renewed scrutiny after confirming that some Premium users’ activity data was exposed following a security incident at a third-party analytics provider. The PornHub data breach disclosure comes as the platform faces increasing regulatory scrutiny in the United States and reported extortion attempts linked to the stolen data. The issue stems from a data breach linked not to PornHub’s own systems, but to Mixpanel, an analytics vendor the platform previously used. On December 12, 2025, PornHub published a security notice confirming that a cyberattack on Mixpanel led to the exposure of historical analytics data, affecting a limited number of Premium users. According to PornHub, the compromised data included search and viewing history tied to Premium accounts, which has since been used in extortion attempts attributed to the ShinyHunters extortion group. “A recent cybersecurity incident involving Mixpanel, a third-party data analytics provider, has impacted some Pornhub Premium users,” the company stated in its notice dated December 12, 2025.  PornHub stresses that the incident did not involve a compromise of its own systems and that sensitive account information remained protected.  “Specifically, this situation affects only select Premium users. It is important to note that this was not a breach of Pornhub Premium’s systems. Passwords, payment details, and financial information remain secure and were not exposed.”  According to PornHub, the affected records are not recent. The company said it stopped working with Mixpanel in 2021, indicating that any stolen data would be at least four years old. Even so, the exposure of viewing and search behavior has raised privacy concerns, particularly given the stigma and personal risk that can accompany such information if misused. 

Mixpanel Smishing Attack Triggered Supply-Chain Exposure 

The root of the incident was a PornHub cyberattack by proxy, a supply-chain compromise. Mixpanel disclosed on November 27, 2025, that it had suffered a breach earlier in the month. The company detected the intrusion on November 8, 2025, after a smishing (SMS phishing) campaign allowed threat actors to gain unauthorized access to its systems. Mixpanel CEO Jen Taylor addressed the incident in a public blog post, stressing transparency and remediation.  “On November 8th, 2025, Mixpanel detected a smishing campaign and promptly executed our incident response processes,” Taylor wrote. “We took comprehensive steps to contain and eradicate unauthorized access and secure impacted user accounts. We engaged external cybersecurity partners to remediate and respond to the incident.”  Mixpanel said the breach affected only a “limited number” of customers and that impacted clients were contacted directly. The company outlined an extensive response that included revoking active sessions, rotating compromised credentials, blocking malicious IP addresses, performing global password resets for employees, and engaging third-party forensic experts. Law enforcement and external cybersecurity advisors were also brought in as part of the response. 

OpenAI and PornHub Among Impacted Customers 

PornHub was not alone among Mixpanel’s customers caught up in the incident. OpenAI disclosed on November 26, 2025, one day before Mixpanel’s public announcement, that it, too, had been affected. OpenAI clarified that the incident occurred entirely within Mixpanel’s environment and involved limited analytics data related to some API users.  “This was not a breach of OpenAI’s systems,” the company said, adding that no chats, API requests, credentials, payment details, or government IDs were exposed. OpenAI noted that it uses Mixpanel to manage web analytics on its API front end.  PornHub denoted a similar assurance in its own disclosure, stating that it had launched an internal investigation with the support of cybersecurity experts and had engaged with relevant authorities. “We are working diligently to determine the nature and scope of the reported incident,” the company said, while urging users to remain vigilant for suspicious emails or unusual activity.  Despite those assurances, the cyberattack on PornHub, albeit indirect, has drawn attention due to the sensitive nature of the exposed data and the reported extortion attempts now linked to it. 

PornHub Data Breach Comes Amid Expanding U.S. Age-Verification Laws 

The PornHub data breach arrives at a time when the platform is already under pressure from sweeping age-verification laws across the United States. PornHub is currently blocked in 22 states, including Alabama, Arizona, Arkansas, Florida, Georgia, Idaho, Indiana, Kansas, Kentucky, Mississippi, Montana, Nebraska, North Carolina, North Dakota, Oklahoma, South Carolina, South Dakota, Tennessee, Texas, Utah, Virginia, and Wyoming. These restrictions stem from state laws requiring users to submit government-issued identification or other forms of age authentication to access explicit content.  Louisiana was the first state to enact such a law, and others followed after the U.S. Supreme Court ruled in June that Texas’s age-verification statute was constitutional. Although PornHub is not blocked in Louisiana, the requirement for ID verification has had a significant impact. Aylo, PornHub’s parent company, said that the traffic in the state dropped by approximately 80 percent after the law took effect.  Aylo has repeatedly criticized the implementation of these laws. “These people did not stop looking for porn. They just migrated to darker corners of the internet that don’t ask users to verify age, that don’t follow the law, that don’t take user safety seriously,” the company said in a statement.  Aylo added that while it supports age verification in principle, the current approach creates new risks. Requiring large numbers of adult websites to collect highly sensitive personal information, the company argued, puts users in danger if those systems are compromised.

The Pierce County Library System cyberattack has exposed the personal information of more than 340,000 individuals following a cybersecurity incident discovered in April 2025. The public library system, which operates 19 locations and serves nearly one million residents outside Seattle, confirmed that unauthorized access to its network resulted in sensitive data being copied and taken. According to breach notification letters published this week on the Pierce County Library System (PCLS) website and filed with regulators in multiple states, the incident occurred between April 15 and April 21, 2025. PCLS detected the breach on April 21 and immediately shut down its systems to contain the attack and begin an investigation.

Unauthorized Network Access and Data Exposure

The investigation revealed that attackers gained access to PCLS systems for nearly a week and exfiltrated files containing personal information. By May 12, the organization confirmed that hackers had stolen data belonging to both library patrons and current or former employees. For library patrons, the exposed data included names and dates of birth. For employees and their family members, the compromised information was significantly more sensitive. Impacted data may include Social Security numbers, financial account details, driver’s license numbers, credit card information, passport numbers, health insurance records, medical information, and dates of birth. PCLS stated that it is not currently aware of any misuse of the stolen data. However, the organization acknowledged the seriousness of the breach and emphasized that it takes the confidentiality and privacy of personal information in its care very seriously.

Ransomware Gang Claims Responsibility of Pierce County Library System cyberattack

The Pierce County Library System cyberattack was claimed in May by the INC ransomware gang, a cybercriminal group that has carried out multiple high-profile attacks against government and public-sector organizations in 2025. The group has previously targeted systems such as the Pennsylvania Office of the Attorney General and an emergency warning service used by municipalities across the United States. While PCLS has not publicly confirmed whether a ransom demand was made or paid, public library systems have increasingly become targets for ransomware attacks on public libraries. Cybercriminal groups often assume that governments will pay to quickly restore access to essential public services.

History of Cyber Incidents in Pierce County

This is not the first cybersecurity incident to impact Pierce County. In 2023, a ransomware attack disrupted the county’s public bus service, affecting systems used by approximately 18,000 riders daily. The recurring nature of such incidents highlights ongoing challenges faced by local governments in defending critical public infrastructure. Globally, library systems have experienced a rise in cyberattacks in recent years. High-profile incidents, including the British Library cyberattack, along with multiple attacks across Canada and the United States, have caused prolonged outages and service disruptions.

Steps for Impacted Individuals

PCLS is urging affected individuals to remain vigilant against identity theft and fraud. The organization recommends regularly reviewing bank and credit card statements and monitoring credit reports for suspicious activity. Under U.S. law, consumers are entitled to one free credit report annually from each of the three major credit bureaus, Equifax, Experian, and TransUnion. Individuals may also place fraud alerts or credit freezes on their credit files at no cost to help prevent unauthorized accounts from being opened in their name. PCLS has provided a dedicated call center for questions related to the incident. As cyberattack on the Pierce County Library System continue to expand digital offerings, cybersecurity remains a critical challenge requiring sustained investment and vigilance.

A cyberattack on Russia has reportedly targeted Russia’s digital military draft system. According to Grigory Sverdlin, head of the draft-dodging nonprofit Idite Lesom, anonymous hackers successfully breached a key developer of the system on Thursday. “For the next few months, the system, which holds 30 million records, will not be able to send people off to kill or die,” Sverdlin wrote on Facebook.   He added that his organization had received a large set of documents from the hackers, including source code, technical documentation, and internal communications from Russia’s software provider Micord, a central developer of the digital military draft system. 

Cyberattack on Russia’s Digital Military Draft System 

Micord’s website was reportedly inaccessible on Thursday, displaying a notice that it was under “technical maintenance.” Meanwhile, the investigative outlet IStories, which obtained the documents from Idite Lesom, confirmed the breach with Micord’s director, Ramil Gabdrahmanov.  “Listen, it could happen to anyone. Many are being attacked right now,” Gabdrahmanov said. He declined to confirm whether Micord had worked on Russia’s unified military registration database, stating, “We work on many different projects.” Nonetheless, IStories independently verified Micord’s involvement in the digital registry.  Despite the cyberattack on Russia’s digital military draft system, some users reported that the database website was still accessible, though it remained unclear whether electronic draft summonses had been disrupted. The Russian Defense Ministry dismissed the claims of a breach as “fake news,” asserting that the registry continued to operate normally.   “The registry has been repeatedly subjected to hacking attacks. They have all been successfully repelled,” the ministry said, emphasizing that attempts to disrupt the system had so far “failed to achieve their objectives", reported IStories.

Digital Military Draft System: Modernizing Russia’s Draft Process 

The digital military draft system, part of a broader modernization of Russia’s wartime enlistment process, centralizes records of men aged 18 to 30 and allows authorities to issue summonses online, eliminating the need for in-person notifications.  The system has faced multiple delays, with its initial launch scheduled for November 2024. Russia’s fall 2025 draft, which runs from October 1 to December 31, was expected to rely on this digital registry in four regions, including Moscow.  Sverdlin noted that once fully operational, the online system automatically enforces restrictions on draftees who fail to report for compulsory service, including travel bans.  

Origins and Government Plans for the Unified Registry 

The hacker group reportedly remained in Micord’s system for several months, accessing critical infrastructure, operational correspondence, and the source code, which they claimed to have destroyed. The documents were shared with journalists at IStories, who confirmed their authenticity.  The Russian government first announced plans for a unified digital military registration registry in April 2023, when the State Duma passed a bill creating the system. RT Labs, a Rostelecom subsidiary, was initially named as one of the developers.   In February 2024, Rostelecom was designated as the sole contractor to complete the system for the Ministry of Digital Development, Communications, and Mass Media, with a completion deadline of December 31, 2024. Though initially intended for the 2024 fall draft, the registry became fully operational only in October 2025, with several regions adopting electronic summonses and phasing out paper notifications. 

The Information Commissioner’s Office (ICO) has fined password manager provider LastPass UK Ltd £1.2 million following a 2022 data breach that compromised the personal information of up to 1.6 million people in the UK. The data breach occurred in August 2022 and was the result of two isolated incidents that, when combined, enabled a hacker to gain unauthorized access to LastPass’ backup database. The stolen information included customer names, email addresses, phone numbers, and stored website URLs. While the data breach exposed sensitive personal information, the ICO confirmed there is no evidence that hackers were able to decrypt customer passwords. This is due to LastPass’ use of a ‘zero knowledge’ encryption system, which ensures that master passwords and vaults are stored locally on customer devices and never shared with the company.

Incident One: Corporate Laptop Compromised

The first incident involved a LastPass employee’s corporate laptop based in Europe. A hacker gained access to the company’s development environment and obtained encrypted company credentials. Although no personal information was taken at this stage, the credentials could have provided access to the backup database if decrypted. LastPass attempted to mitigate the hacker’s activity and believed the encryption keys remained safe, as they were stored outside the compromised environment in the vaults of four senior employees.

Incident Two: Personal Device Targeted

The second incident proved more damaging. The hacker targeted one of the senior employees who had access to the decryption keys. Exploiting a known vulnerability in a third‑party streaming service, the attacker gained access to the employee’s personal device. A keylogger was installed, capturing the employee’s master password. Multi‑factor authentication was bypassed using a trusted device cookie. This allowed the hacker to access both the employee’s personal and business LastPass vaults, which were linked by a single master password. From there, the hacker obtained the Amazon Web Service (AWS) access key and decryption key stored in the business vault. Combined with information taken the previous day, this enabled the extraction of the backup database containing customer personal information.

ICO’s Findings and Fine on LastPass UK

The ICO investigation concluded that LastPass failed to implement sufficiently strong technical and security measures, leaving customers exposed. Although the company’s zero knowledge encryption protected passwords, the exposure of personal data was deemed a serious failure. John Edwards, UK Information Commissioner, stated: “Password managers are a safe and effective tool for businesses and the public to manage their numerous login details, and we continue to encourage their use. However, as is clear from this incident, businesses offering these services should ensure that system access and use is restricted to reduce risks of attack. LastPass customers had a right to expect their personal information would be kept safe and secure. The company fell short of this expectation, resulting in the proportionate fine announced today.”

Lessons for Businesses

The ICO has urged all UK businesses to review their systems and procedures to prevent similar risks. This case underscores the importance of restricting system access, strengthening cybersecurity measures, and ensuring that employees’ personal devices do not become weak points in corporate networks. While password managers remain a recommended tool for managing login details, the incident shows that even trusted providers can fall short if internal safeguards are not sufficiently strong. The £1.2 million fine against LastPass UK Ltd serves as a clear reminder that companies handling sensitive data must uphold the highest standards of security. Although customer passwords were protected by the company’s zero knowledge encryption system, the exposure of personal information has left millions vulnerable. The ICO’s ruling reinforces the need for constant vigilance in the face of growing cyber threats. For both businesses and individuals, the message is straightforward: adopt strong security practices, conduct regular system reviews, and implement robust employee safeguards to reduce the risk of future data breaches.

The City of Cambridge has released an important update regarding the OnSolve CodeRED emergency notifications system, also known locally as Cambridge’s reverse 911 system. The platform, widely used by thousands of local governments and public safety agencies across the country, was taken offline in November following a nationwide OnSolve CodeRED cyberattack. Residents who rely on CodeRED alerts for information about snow emergencies, evacuations, water outages, or other service disruptions are being asked to take immediate steps to secure their accounts and continue receiving notifications.

Impact of the OnSolve CodeRED Cyberattack on User Data

According to city officials, the data breach affected CodeRED databases nationwide, including Cambridge. The compromised information may include phone numbers, email addresses, and passwords of registered users. Importantly, the attack targeted the OnSolve CodeRED system itself, not the City of Cambridge or its departments. This OnSolve CodeRED cyberattack incident mirrors similar concerns raised in Monroe County, Georgia, where officials confirmed that residents’ personal information was also exposed. The Monroe County Emergency Management Agency emphasized that the breach was part of a nationwide cybersecurity incident and not a local failure.

Transition to CodeRED by Crisis24

In response, OnSolve permanently decommissioned the old CodeRED platform and migrated services to a new, secure environment known as CodeRED by Crisis24. The new system has undergone comprehensive security audits, including penetration testing and system hardening, to ensure stronger protection against future threats. For Cambridge residents, previously registered contact information has been imported into the new platform. However, due to security concerns, all passwords have been removed. Users must now reset their credentials before accessing their accounts.

Steps for City of Cambridge Residents and Users

To continue receiving emergency notifications, residents should:

• Visit accountportal.onsolve.net/cambridgema
• Enter their username (usually an email address)
• Select “forgot password” to verify and reset credentials
• If unsure of their username, use the “forgot username” option

Officials strongly advise against reusing old CodeRED passwords, as they may have been compromised. Instead, users should create strong, unique passwords and update their information once logged in. Additionally, anyone who used the same password across multiple accounts is urged to change those credentials immediately to reduce the risk of further exposure.

Broader National Context

The Monroe County cyberattack highlights the scale of the issue. Officials there reported that data such as names, addresses, phone numbers, and passwords were compromised. Residents who enrolled before March 31, 2025, had their information migrated to the new Crisis24 CodeRED platform, while those who signed up afterward must re‑enroll. OnSolve has reassured communities that the intrusion was contained within the original system and did not spread to other networks. While there is currently no evidence of identity theft, the incident underscores the growing risks of cyber intrusions nationwide.

Resources for Cybersecurity Protection

Residents who believe they may have been victims of cyber‑enabled fraud are encouraged to report incidents to the FBI Internet Crime Complaint Center (IC3) at ic3.gov. Additional resources are available to help protect individuals and families from fraud and cybercrime. Security experts note that the rising frequency of attacks highlights the importance of independent threat‑intelligence providers. Companies such as Cyble track vulnerabilities and cybercriminal activity across global networks, offering organizations tools to strengthen defenses and respond more quickly to incidents.

Looking Ahead

The City of Cambridge has thanked residents for their patience as staff worked with OnSolve to restore emergency alert capabilities. Officials emphasized that any breach of security is a serious concern and confirmed that they will continue monitoring the new CodeRED by Crisis24 platform to ensure its standards are upheld. In addition, the City is evaluating other emergency alerting systems to determine the most effective long‑term solution for community safety.

Four years after the HSE cyberattack that crippled Ireland’s national health service, the Health Service Executive has begun offering financial compensation to individuals whose personal data was compromised in the incident. The payment proposal is the first time the HSE has formally acknowledged the need to compensate those affected by what remains one of the largest recorded cyberattacks on health systems worldwide.  The cyberattack on HSE occurred on May 14, 2021, when the Conti ransomware group, a Russia-based cybercrime organization, launched a large-scale intrusion that forced the shutdown of the health service’s IT network. The ransomware incident led to widespread treatment delays and exposed sensitive information belonging to almost 100,000 staff members and patients. Investigators later determined that the breach began when a malicious file attached to a phishing email was opened on the dispersed and “frail” IT infrastructure used by the health service. 

Hundreds of Legal Proceedings Underway Following the HSE Cyberattack 

As legal disputes have grown over the last four years, the HSE has now extended an offer of €750 in damages to each affected claimant. A further €650 per person has been allocated to cover legal fees. According to Cork-based O’Dowd Solicitors, representing more than 100 individuals, the offer was received on Friday and was described to clients as a “significant development.” The firm told its clients that this was “the first time in public (or private that I know of, the HSE has acknowledged that they will need to compensate individuals impacted by the breach.”  According to RTÉ News, the proposed €750 payment would be issued within 28 days of an accepted offer and would serve as a “full and final settlement” of any ongoing proceedings. O’Dowd Solicitors declined to comment publicly on the matter, though it is understood the firm is currently advising clients on their options.  The offer follows a recent high-profile legal ruling in Ireland that affirmed an individual’s right to damages in relation to data breaches, a decision seen by legal observers as having implications for the mounting number of cases linked to the HSE cyberattack.  As of November 2025, the HSE confirmed that approximately 620 legal proceedings had been issued in connection with the attack. A spokeswoman said that the HSE “is working closely with the State Claims Agency in relation to this matter and is engaging with legal representatives accordingly,” adding that “these legal matters between the HSE and affected individuals are confidential.”  In earlier updates, the health service said it had reached out to all individuals whose information had been compromised, with 90,936 people ultimately contacted following the breach. The scale of the incident placed immense pressure on clinical operations, causing long delays in diagnostics, appointments, and elective procedures over an extended period. 

Cybersecurity Overhaul Following the Conti Attack 

Since the 2021 intrusion, the HSE has noted that it has “invested significantly” in strengthening its cybersecurity posture. According to the organization, multiple work programs are underway to address vulnerabilities identified in the aftermath of the cyberattack on HSE. The HSE reports that it now responds to thousands of cyber threats annually and continues to expand “multi-layered cyber defenses” intended to detect and mitigate ongoing risks. The agency acknowledges that the attack exposed critical weaknesses in its digital infrastructure and reiterated that enhancing cyber capability remains a core operational priority.  The compensation development was first reported by the Irish Independent and signals a new phase in the long-running fallout from the HSE cyberattack carried out by the Conti ransomware group. For many victims, the proposed payments represent a long-awaited acknowledgment of the breach’s impact, though the final resolution of the hundreds of legal claims still depends on individual acceptance of the settlement terms. 

Barts Health NHS Trust has confirmed that the data breach at Barts Health was carried out by the Russian-speaking Cl0p ransomware group, which exploited a vulnerability in Oracle E-Business Suite. The Barts Health data breach involved the theft of files from one of the trust’s invoice databases, exposing information linked to payments for treatment and other services, some dating back several years.  In its official notification, the trust stated, “As a result of a recent incident involving data from our trust, we are informing those potentially affected that there is a risk some personal data is compromised.”  The trust confirmed that the criminal group stole files containing names and addresses of individuals required to pay for treatment or services at a Barts Health hospital. These files were later posted on the dark web. Barts Health emphasized that it is pursuing legal remedies, noting, “We are taking urgent action and seeking a High Court order to ban the publication, use or sharing of this data by anyone.” 

Details of the Barts Health Data Breach and Exposed Information 

The cyberattack on Barts Health occurred after Cl0p exploited a flaw in Oracle E-Business Suite, a widely used system for automating business processes. Oracle has since corrected the vulnerability, which has affected multiple organizations globally.  The trust has reported the Barts Health data breach to NHS England, the National Cyber Security Centre, the Metropolitan Police, and the Information Commissioner’s Office. Despite the intrusion, Barts Health stressed that core healthcare systems remain secure: “Please note our electronic patient record and clinical systems are not affected, and we are confident our core IT infrastructure is secure.”  Paying patients are encouraged to review their treatment invoices to understand which details may have been exposed. Some former employees also appear in the files due to outstanding salary sacrifice amounts or overpayments. Nearly half of the compromised records relate to suppliers whose information is already publicly accessible.  The affected database also contains accounting files that Barts Health has managed since April 2024 for Barking, Havering, and Redbridge University Hospitals NHS Trust. Both trusts are coordinating efforts to limit the impact. 

Timeline of the Breach and Potential Risks to Individuals 

Although the theft occurred in August, Barts Health did not receive any indication that data had been compromised until November, when the files were uploaded to the dark web. None of the information has emerged on the open internet, restricting exposure to individuals with access to encrypted and compressed files on the dark web.  The trust warned that the stolen files cannot grant direct access to personal accounts but may help criminals craft scams to trick victims into sharing sensitive information or making payments. Individuals with concerns are advised to contact the trust’s data protection officer or consult national guidance such as “Stop! Think Fraud – How to stay safe from scams.”  Barts Health apologized for the incident, stating, “We are very sorry that this has happened and are taking steps with our suppliers to ensure that it could not happen again.”  The Cl0p ransomware group is a well-known cybercriminal syndicate recognized for its multilayer extortion operations, including encryption-less ransomware tactics. Responsible for extorting more than $500 million in ransom payments worldwide, Cl0p became prominent in 2019 through extensive phishing campaigns and malware. The group frequently exploits zero-day vulnerabilities, enabling high-impact attacks and ransom demands. 

A former student has been charged over an extended series of security breaches linked to the Western Sydney University cyberattack that has affected the institution since 2021. According to police, the university endured repeated unauthorized access, data exfiltration, system compromises, and the misuse of its infrastructure, activities that also involved threats to release student information on the dark web. Authorities estimate that hundreds of staff and students have been impacted over the course of the breaches.  Detectives worked with Western Sydney University, the AFP’s Joint Policing Cyber Coordination Centre (JCP3), and external cybersecurity specialists to trace the intrusions. Their investigation led to a 27-year-old woman, a former student of the university, who was first arrested and charged in June.

The Complex Case of the Western Sydney University Cyberattack 

Despite the earlier arrest, police allege the student continued offending, sending more than 100,000 fraudulent emails to students to damage the university’s reputation and cause distress. As part of the continuing inquiry into the cyberattack on Western Sydney University, detectives executed a search warrant in North Kellyville, where the student was again arrested. Officers stated that she possessed a mobile phone modified to function as a computer terminal, allegedly used in cyber offences.  She was taken to The Hills Police Station and charged with multiple offences, including two counts of unauthorized function with intent to commit a serious offence, two counts of fabricating false evidence with intent to mislead a judicial tribunal, and breach of bail. Police say she also posted fabricated material online that was designed to exonerate herself during the ongoing legal proceedings. Bail was refused, and she was due to appear in court the following day. 

University Issues Public Notification After Continued Cyber Incidents 

Western Sydney University released a public notification on 23 October 2025, advising the community of personal information that may have been compromised in the broader Western Sydney University cyberattack pattern. The notice included a statement expressing regret over the situation:  “I want to again apologize for the impact this is having and give you my assurance that we are doing everything we can to rectify this issue and support our community.”  The university confirmed that it had been working closely with the NSW Police Force Cybercrime Squad’s Strike Force Docker, which had arrested and charged the former student on 25 June 2025. However, attempts to breach university systems continued even after the arrest, including attempts that exploited external IT service providers.  Unusual activity was detected twice, on 6 August and 11 August 2025, within the Student Management System, which is hosted by a third-party provider on a cloud platform. An immediate investigation led the university to shut down access to the platform. It was later confirmed that unauthorized access occurred through external systems linked to the platform between 19 June and 3 September 2025. These linked systems allow intruders to extract personal data from the Student Management System.  University investigators also determined that fraudulent emails sent on 6 October 2025 had used data stolen during this period. Authorities asked the university to delay notifying the community to avoid disrupting the police investigation. With approval finally granted, the university issued a comprehensive notice to students, former students, staff, offer recipients, The College, The International College, and Early Learning Ltd personnel. 

Scope of Compromised Information 

According to the public notification, the cyber incidents may have exposed a wide range of personal information, including contact details, names, dates of birth, identification numbers, nationality information, employment and payroll records, bank and tax details, driver's license and passport information, visa documentation, complaint files, and certain health, disability, and legal information.  Individual notifications are being issued to those affected, including updated findings from earlier incidents.  The notification advised individuals to change passwords, preferably to those of at least 15 characters, and implement multi-factor authentication across online accounts. Additional support services include a dedicated cyber incident website, a university phone line for inquiries, resources from the NSW Information and Privacy Commission, and reporting options via the Australian Cyber Security Centre for anyone who believes their information has been misused. 

FTC action takes center stage as the U.S. Federal Trade Commission has announced strong enforcement steps against education technology (Edtech) provider Illuminate Education, following a major data breach that exposed the personal information of more than 10 million students across the United States. The agency said the company failed to implement reasonable security measures despite promising schools and parents that student information was protected.

Why the Agency Intervened

FTC complaint outlines a series of allegations against the Wisconsin-based company, which provides cloud-based software tools for schools. According to the complaint, Illuminate Education claimed it used industry-standard practices to safeguard student information but failed to put in place basic security controls. The Illuminate Education data breach incident dates back to December 2021 when a hacker accessed the company’s cloud databases using login credentials belonging to a former employee who had left the company more than three years earlier. This lapse allowed unauthorized access to data belonging to 10.1 million students, including email addresses, home addresses, dates of birth, academic records, and sensitive health information. FTC officials said the company ignored warnings as early as January 2020, when a third-party vendor alerted them to several vulnerabilities in their systems. The data security failures included weak access controls, gaps in threat detection, and a lack of proper vulnerability monitoring and patch management. The agency also noted that student data was stored in plain text until at least January 2022, increasing the severity of the breach.

FTC Action: Requirements Under the Proposed Order

As part of the proposed settlement, the FTC will require Illuminate Education to adopt a comprehensive information security program and follow stricter privacy obligations. The proposed FTC order includes several mandatory steps:

• Deleting any personal information that is no longer required for service delivery.
• Following a transparent, publicly available data retention schedule that explains why data is collected and when it will be deleted.
• Implementing a detailed information security program to protect the confidentiality and integrity of personal information.
• Notifying the FTC when the company reports a data breach to any federal, state, or local authority.

The order also prohibits the company from misrepresenting its data security practices or delaying breach notifications to school districts and families. The FTC said Illuminate had waited nearly two years before informing some districts about the breach, impacting more than 380,000 students. The Commission has voted unanimously to advance the complaint and proposed order for public comment. It will be published in the Federal Register, where stakeholders can share feedback for 30 days before the FTC decides whether to finalize the consent order.

FTC Action and State-Level Enforcement

Alongside the federal enforcement, the state data breach settlement adds another layer of accountability. Attorneys General from California, Connecticut, and New York recently announced a $5.1 million settlement with Illuminate Education for failing to adequately protect student data during the same 2021 cyber incident. California will receive $3.25 million in civil penalties, and the settlement includes strict requirements designed to improve the company’s cybersecurity safeguards. With more than 434,000 California students affected, this marks one of the largest enforcement actions under the California K-12 Pupil Online Personal Information Protection Act (KOPIPA). State officials emphasized that educational technology companies must prioritize the security of children’s data, which often includes highly sensitive information like medical details and learning records.