The Information Commissioner’s Office (ICO) has fined password manager provider LastPass UK Ltd £1.2 million following a 2022 data breach that compromised the personal information of up to 1.6 million people in the UK. The data breach occurred in August 2022 and was the result of two isolated incidents that, when combined, enabled a hacker to gain unauthorized access to LastPass’ backup database. The stolen information included customer names, email addresses, phone numbers, and stored website URLs. While the data breach exposed sensitive personal information, the ICO confirmed there is no evidence that hackers were able to decrypt customer passwords. This is due to LastPass’ use of a ‘zero knowledge’ encryption system, which ensures that master passwords and vaults are stored locally on customer devices and never shared with the company.

Incident One: Corporate Laptop Compromised

The first incident involved a LastPass employee’s corporate laptop based in Europe. A hacker gained access to the company’s development environment and obtained encrypted company credentials. Although no personal information was taken at this stage, the credentials could have provided access to the backup database if decrypted. LastPass attempted to mitigate the hacker’s activity and believed the encryption keys remained safe, as they were stored outside the compromised environment in the vaults of four senior employees.

Incident Two: Personal Device Targeted

The second incident proved more damaging. The hacker targeted one of the senior employees who had access to the decryption keys. Exploiting a known vulnerability in a third‑party streaming service, the attacker gained access to the employee’s personal device. A keylogger was installed, capturing the employee’s master password. Multi‑factor authentication was bypassed using a trusted device cookie. This allowed the hacker to access both the employee’s personal and business LastPass vaults, which were linked by a single master password. From there, the hacker obtained the Amazon Web Service (AWS) access key and decryption key stored in the business vault. Combined with information taken the previous day, this enabled the extraction of the backup database containing customer personal information.

ICO’s Findings and Fine on LastPass UK

The ICO investigation concluded that LastPass failed to implement sufficiently strong technical and security measures, leaving customers exposed. Although the company’s zero knowledge encryption protected passwords, the exposure of personal data was deemed a serious failure. John Edwards, UK Information Commissioner, stated: “Password managers are a safe and effective tool for businesses and the public to manage their numerous login details, and we continue to encourage their use. However, as is clear from this incident, businesses offering these services should ensure that system access and use is restricted to reduce risks of attack. LastPass customers had a right to expect their personal information would be kept safe and secure. The company fell short of this expectation, resulting in the proportionate fine announced today.”

Lessons for Businesses

The ICO has urged all UK businesses to review their systems and procedures to prevent similar risks. This case underscores the importance of restricting system access, strengthening cybersecurity measures, and ensuring that employees’ personal devices do not become weak points in corporate networks. While password managers remain a recommended tool for managing login details, the incident shows that even trusted providers can fall short if internal safeguards are not sufficiently strong. The £1.2 million fine against LastPass UK Ltd serves as a clear reminder that companies handling sensitive data must uphold the highest standards of security. Although customer passwords were protected by the company’s zero knowledge encryption system, the exposure of personal information has left millions vulnerable. The ICO’s ruling reinforces the need for constant vigilance in the face of growing cyber threats. For both businesses and individuals, the message is straightforward: adopt strong security practices, conduct regular system reviews, and implement robust employee safeguards to reduce the risk of future data breaches.

The City of Cambridge has released an important update regarding the OnSolve CodeRED emergency notifications system, also known locally as Cambridge’s reverse 911 system. The platform, widely used by thousands of local governments and public safety agencies across the country, was taken offline in November following a nationwide OnSolve CodeRED cyberattack. Residents who rely on CodeRED alerts for information about snow emergencies, evacuations, water outages, or other service disruptions are being asked to take immediate steps to secure their accounts and continue receiving notifications.

Impact of the OnSolve CodeRED Cyberattack on User Data

According to city officials, the data breach affected CodeRED databases nationwide, including Cambridge. The compromised information may include phone numbers, email addresses, and passwords of registered users. Importantly, the attack targeted the OnSolve CodeRED system itself, not the City of Cambridge or its departments. This OnSolve CodeRED cyberattack incident mirrors similar concerns raised in Monroe County, Georgia, where officials confirmed that residents’ personal information was also exposed. The Monroe County Emergency Management Agency emphasized that the breach was part of a nationwide cybersecurity incident and not a local failure.

Transition to CodeRED by Crisis24

In response, OnSolve permanently decommissioned the old CodeRED platform and migrated services to a new, secure environment known as CodeRED by Crisis24. The new system has undergone comprehensive security audits, including penetration testing and system hardening, to ensure stronger protection against future threats. For Cambridge residents, previously registered contact information has been imported into the new platform. However, due to security concerns, all passwords have been removed. Users must now reset their credentials before accessing their accounts.

Steps for City of Cambridge Residents and Users

To continue receiving emergency notifications, residents should:

• Visit accountportal.onsolve.net/cambridgema
• Enter their username (usually an email address)
• Select “forgot password” to verify and reset credentials
• If unsure of their username, use the “forgot username” option

Officials strongly advise against reusing old CodeRED passwords, as they may have been compromised. Instead, users should create strong, unique passwords and update their information once logged in. Additionally, anyone who used the same password across multiple accounts is urged to change those credentials immediately to reduce the risk of further exposure.

Broader National Context

The Monroe County cyberattack highlights the scale of the issue. Officials there reported that data such as names, addresses, phone numbers, and passwords were compromised. Residents who enrolled before March 31, 2025, had their information migrated to the new Crisis24 CodeRED platform, while those who signed up afterward must re‑enroll. OnSolve has reassured communities that the intrusion was contained within the original system and did not spread to other networks. While there is currently no evidence of identity theft, the incident underscores the growing risks of cyber intrusions nationwide.

Resources for Cybersecurity Protection

Residents who believe they may have been victims of cyber‑enabled fraud are encouraged to report incidents to the FBI Internet Crime Complaint Center (IC3) at ic3.gov. Additional resources are available to help protect individuals and families from fraud and cybercrime. Security experts note that the rising frequency of attacks highlights the importance of independent threat‑intelligence providers. Companies such as Cyble track vulnerabilities and cybercriminal activity across global networks, offering organizations tools to strengthen defenses and respond more quickly to incidents.

Looking Ahead

The City of Cambridge has thanked residents for their patience as staff worked with OnSolve to restore emergency alert capabilities. Officials emphasized that any breach of security is a serious concern and confirmed that they will continue monitoring the new CodeRED by Crisis24 platform to ensure its standards are upheld. In addition, the City is evaluating other emergency alerting systems to determine the most effective long‑term solution for community safety.

Government contractor fraud is at the heart of a new indictment returned by a federal grand jury in Washington, D.C. against a former senior manager in Virginia. Prosecutors say Danielle Hillmer, 53, of Chantilly, misled federal agencies for more than a year about the security of a cloud platform used by the U.S. Army and other government customers. The indictment, announced yesterday, charges Hillmer with major government contractor fraud, wire fraud, and obstruction of federal audits. According to prosecutors, she concealed serious weaknesses in the system while presenting it as fully compliant with strict federal cybersecurity standards.

Government Contractor Fraud: Alleged Scheme to Mislead Agencies

According to court documents, Hillmer’s actions spanned from March 2020 through November 2021. During this period, she allegedly obstructed auditors and misrepresented the platform’s compliance with the Federal Risk and Authorization Management Program (FedRAMP) and the Department of Defense’s Risk Management Framework. The indictment claims that while the platform was marketed as a secure environment for federal agencies, it lacked critical safeguards such as access controls, logging, and monitoring. Despite repeated warnings, Hillmer allegedly insisted the system met the FedRAMP High baseline and DoD Impact Levels 4 and 5, both of which are required for handling sensitive government data.

Obstruction of Audits

Federal prosecutors allege Hillmer went further by attempting to obstruct third-party assessors during audits in 2020 and 2021. She is accused of concealing deficiencies and instructing others to hide the true state of the system during testing and demonstrations. The indictment also states that Hillmer misled the U.S. Army to secure sponsorship for a Department of Defense provisional authorization. She allegedly submitted, and directed others to submit, authorization materials containing false information to assessors, authorizing officials, and government customers. These misrepresentations, prosecutors say, allowed the contractor to obtain and maintain government contracts under false pretenses.

Charges and Potential Penalties

Hillmer faces two counts of wire fraud, one count of major government fraud, and two counts of obstruction of a federal audit. If convicted, she could face:

• Up to 20 years in prison for each wire fraud count
• Up to 10 years in prison for major government fraud
• Up to 5 years in prison for each obstruction count

A federal district court judge will determine any sentence after considering the U.S. Sentencing Guidelines and other statutory factors. The indictment was announced by Acting Assistant Attorney General Matthew R. Galeotti of the Justice Department’s Criminal Division and Deputy Inspector General Robert C. Erickson of the U.S. General Services Administration Office of Inspector General (GSA-OIG). The case is being investigated by the GSA-OIG, the Defense Criminal Investigative Service, the Naval Criminal Investigative Service, and the Department of the Army Criminal Investigation Division. Trial Attorneys Lauren Archer and Paul Hayden of the Criminal Division’s Fraud Section are prosecuting the case.

Broader Implications of Government Contractor Fraud

The indictment highlights ongoing concerns about the integrity of cloud platforms used by federal agencies. Programs like FedRAMP and the DoD’s Risk Management Framework are designed to ensure that systems handling sensitive government data meet rigorous security standards. Allegations that a contractor misrepresented compliance raise questions about oversight and the risks posed to national security when platforms fall short of requirements. Federal officials emphasized that the government contractor fraud case highlights the importance of transparency and accountability in government contracting, particularly in areas involving cybersecurity. Note: It is important to note that an indictment is merely an allegation. Hillmer, like all defendants, is presumed innocent until proven guilty beyond a reasonable doubt in a court of law.

2025 will be remembered as the year cyber threats reached a breaking point. With nearly 6,000 ransomware incidents, more than 6,000 data breaches, and over 3,000 sales of compromised corporate access, enterprises across the globe faced one of the most dangerous digital landscapes on record. Manufacturing plants halted production, government agencies struggled to contain leaks, and critical infrastructure endured direct hits. Cyble Global Cybersecurity Report 2025 highlights that ransomware attacks surged 50% year-over-year. Not only this, the Global Cybersecurity Report 2025 stated that data breaches climbed to their second-highest level ever, and the underground market for stolen access flourished. Together, these figures reveal not just isolated events, but a systemic escalation of cybercrime that is reshaping the way organizations must defend themselves.

Cyble Global Cybersecurity Report 2025: A Year of Escalation

The Cyble Global Cybersecurity Report 2025 documented 5,967 ransomware attacks, representing a 50% increase year-over-year. Alongside this, 6,046 data breaches and leaks were recorded, the second-highest level ever observed. The underground market for compromised initial access also thrived, with 3,013 sales fueling the global cybercrime economy. Daksh Nakra, Senior Manager of Research and Intelligence at Cyble, described 2025 as a “Major power shift in the threat landscape,” noting that new ransomware groups quickly filled the void left by law enforcement crackdowns. The combination of supply chain attacks and rapid weaponization of zero-day vulnerabilities created what he called “a perfect storm” for enterprises worldwide.

Ransomware Landscape Transformed

Two groups stood out in 2025. Akira ransomware emerged as the second-most prolific group behind Qilin, launching sustained campaigns across Construction, Manufacturing, and Professional Services. Its opportunistic targeting model allowed it to compromise nearly every major industry vertical. Meanwhile, CL0P ransomware reaffirmed its reputation as a zero-day specialist. In February 2025, CL0P executed a mass campaign exploiting enterprise file transfer software, posting hundreds of victims in a single wave. Consumer Goods, Transportation & Logistics, and IT sectors were among the hardest hit.

Key Ransomware Statistics

• 5,967 total ransomware attacks in 2025 (50% increase year-over-year)
• The manufacturing sector most targeted, suffering the highest operational disruption
• Construction, Professional Services, Healthcare, and IT are among the top five targets
• The United States experienced the majority of attacks; Australia entered the top-five list for the first time
• 31 incidents directly impacted critical infrastructure

Data Breaches Near Record Levels

Government and law enforcement agencies were disproportionately affected, accounting for 998 incidents (16.5% of total breaches). The Banking, Financial Services, and Insurance (BFSI) sector followed with 634 incidents. Together, these two sectors represented more than a quarter of all breaches, highlighting attackers’ focus on sensitive citizen data and financial information. The sale of compromised corporate access continued to fuel cybercrime. Cyble’s analysis revealed 3,013 access sales, with the Retail sector most heavily targeted at 594 incidents (nearly 20%). BFSI followed with 284 incidents, while Government agencies accounted for 175 incidents.

Vulnerabilities Drive Attack Surge

Cyble Global Cybersecurity Report 2025 further highlighted that critical flaws in widely deployed enterprise technologies served as primary entry points. Among the most exploited were:

• CVE-2025-61882 (Oracle E-Business Suite RCE) – leveraged by CL0P
• CVE-2025-10035 (GoAnywhere MFT RCE) – exploited by Medusa
• Multiple vulnerabilities in Fortinet, Ivanti, and Cisco products with CVSS scores above 9.0

In total, 94 zero-day vulnerabilities were identified in 2025, with 25 scoring above 9.0. Over 86% of CISA’s Known Exploited Vulnerabilities catalog entries carried CVSS ratings of 7.0 or higher, with Microsoft, Fortinet, Apple, Cisco, and Oracle most frequently affected.

Geopolitical Hacktivism Surges

According to Cyble's global cybersecurity report 2025, hacktivist activity reached an unprecedented scale, with over 40,000 data leaks and dump posts impacting 41,400 unique domains. Much of this activity was driven by geopolitical conflicts:

• The Israel-Iran conflict triggered operations by 74 hacktivist groups
• India-Pakistan tensions generated 1.5 million intrusion attempts
• North Korea’s IT worker fraud schemes infiltrated global companies
• DDoS attacks, website defacements, and breaches targeted governments and critical infrastructure

Industry-Specific Insights

• Manufacturing: Most attacked sector due to reliance on OT/ICS environments and low tolerance for downtime
• Construction: Heavily targeted by Akira; time-sensitive projects created maximum pressure points
• Professional Services: Law firms and consultancies compromised for sensitive client data and supply chain leverage
• Healthcare: Continued to face attacks from groups like BianLian, Abyss, and INC Ransom due to critical data availability needs
• IT & ITES: Service providers exploited to enable cascading supply chain attacks against downstream customers

Outlook

The numbers from Cyble Global Cybersecurity Report 2025 highlight that ransomware is up by 50%, thousands of breaches, and a booming underground economy for compromised access. With critical infrastructure, government agencies, and high-value industries increasingly in the crosshairs, the Cyble global cybersecurity report 2025 highlights the urgency for global enterprises to strengthen defenses against a rapidly evolving threat landscape.

For a full analysis, the Global Cybersecurity Report 2025 is available at Cyble Research Reports.

On a cozy December morning, as children in Australia set their bags aside for the holiday season and held their tabs and phones in hand to take that selfie and announce to the world they were all set for the fun to begin, something felt a miss. They couldn't access their Snap Chat and Instagram accounts. No it wasn't another downtime caused by a cyberattack, because they could see their parents lounging on the couch and laughing at the dog dance reels. So why were they not able to? The answer: the ban on social media for children under 16 had officially taken effect. It wasn't just one or 10 or 100 but more than one million young users who woke up locked out of their social media. No TikTok scroll. No Snapchat streak. No YouTube comments. Australia had quietly entered a new era, the world’s first nationwide ban on social media for children under 16, effective December 10. The move has initiated global debate, parental relief, youth frustration, and a broader question: Is this the start of a global shift, or a risky social experiment? Prime Minister Anthony Albanese was clear about why his government took this unparalleled step. “Social media is doing harm to our kids, and I’m calling time on it,” he said during a press conference. “I’ve spoken to thousands of parents… they’re worried sick about the safety of our kids online, and I want Australian families to know that the Government has your back.” Under the Anthony Albanese social media policy, platforms including Instagram, Facebook, X, Snapchat, TikTok, Reddit, Twitch, Kick, Threads and YouTube must block users under 16, or face fines of up to AU$32 million. Parents and children won’t be penalized, but tech companies will. [caption id="attachment_107569" align="aligncenter" width="448"] Source: eSafety Commissioner[/caption]

Australia's Ban on Social Media: A Big Question

Albanese pointed to rising concerns about the effects of social media on children, from body-image distortion to exposure to inappropriate content and addictive algorithms that tug at young attention spans. [caption id="attachment_107541" align="aligncenter" width="960"] Source: Created using Google Gemini[/caption] Research supports these concerns. A Pew Research Center study found:

• 48% of teens say social media has a mostly negative effect on people their age, up sharply from 32% in 2022.
• 45% feel they spend too much time on social media.
• Teen girls experience more negative impacts than boys, including mental health struggles (25% vs 14%) and loss of confidence (20% vs 10%).
• Yet paradoxically, 74% of teens feel more connected to friends because of social media, and 63% use it for creativity.

These contradictions make the issue far from black and white. Psychologists remind us that adolescence, beginning around age 10 and stretching into the mid-20s, is a time of rapid biological and social change, and that maturity levels vary. This means that a one-size-fits-all ban on social media may overshoot the mark.

Ban on Social Media for Users Under 16: How People Reacted

Australia’s announcement, first revealed in November 2024, has motivated countries from Malaysia to Denmark to consider similar legislation. But not everyone is convinced this is the right way forward.

Supporters Applaud “A Chance at a Real Childhood”

Pediatric occupational therapist Cris Rowan, who has spent 22 years working with children, celebrated the move: “This may be the first time children have the opportunity to experience a real summer,” she said.“Canada should follow Australia’s bold initiative. Parents and teachers can start their own movement by banning social media from homes and schools.” Parents’ groups have also welcomed the decision, seeing it as a necessary intervention in a world where screens dominate childhood.

Others Say the Ban Is Imperfect, but Necessary

Australian author Geoff Hutchison puts it bluntly: “We shouldn’t look for absolutes. It will be far from perfect. But we can learn what works… We cannot expect the repugnant tech bros to care.” His view reflects a broader belief that tech companies have too much power, and too little accountability.

Experts Warn Against False Security 

However, some experts caution that the Australia ban on social media may create the illusion of safety while failing to address deeper issues. Professor Tama Leaver, Internet Studies expert at Curtin University, told The Cyber Express that while the ban on social media addresses some risks, such as algorithmic amplification of inappropriate content and endless scrolling, many online dangers remain.

“The social media ban only really addresses on set of risks for young people, which is algorithmic amplification of inappropriate content and the doomscrolling or infinite scroll. Many risks remain. The ban does nothing to address cyberbullying since messaging platforms are exempt from the ban, so cyberbullying will simply shift from one platform to another.”

Leaver also noted that restricting access to popular platforms will not drive children offline. Due to ban on social media young users will explore whatever digital spaces remain, which could be less regulated and potentially riskier.

“Young people are not leaving the digital world. If we take some apps and platforms away, they will explore and experiment with whatever is left. If those remaining spaces are less known and more risky, then the risks for young people could definitely increase. Ideally the ban will lead to more conversations with parents and others about what young people explore and do online, which could mitigate many of the risks.”

From a broader perspective, Leaver emphasized that the ban on social media will only be fully beneficial if accompanied by significant investment in digital literacy and digital citizenship programs across schools:

“The only way this ban could be fully beneficial is if there is a huge increase in funding and delivery of digital literacy and digital citizenship programs across the whole K-12 educational spectrum. We have to formally teach young people those literacies they might otherwise have learnt socially, otherwise the ban is just a 3 year wait that achieves nothing.”

He added that platforms themselves should take a proactive role in protecting children:

“There is a global appetite for better regulation of platforms, especially regarding children and young people. A digital duty of care which requires platforms to examine and proactively reduce or mitigate risks before they appear on platforms would be ideal, and is something Australia and other countries are exploring. Minimizing risks before they occur would be vastly preferable to the current processes which can only usually address harm once it occurs.”

Looking at the global stage, Leaver sees Australia ban on social media as a potential learning opportunity for other nations:

“There is clearly global appetite for better and more meaningful regulation of digital platforms. For countries considered their own bans, taking the time to really examine the rollout in Australia, to learn from our mistakes as much as our ambitions, would seem the most sensible path forward.”

Other specialists continue to warn that the ban on social media could isolate vulnerable teenagers or push them toward more dangerous, unregulated corners of the internet.

Legal Voices Raise Serious Constitutional Questions

Senior Supreme Court Advocate Dr. K. P. Kylasanatha Pillay offered a thoughtful reflection: “Exposure of children to the vagaries of social media is a global concern… But is a total ban feasible? We must ask whether this is a reasonable restriction or if it crosses the limits of state action. Not all social media content is harmful. The best remedy is to teach children awareness.” His perspective reflects growing debate about rights, safety, and state control.

LinkedIn, Reddit, and the Public Divide

Social media itself has become the battleground for reactions. On Reddit, youngesters were particularly vocal about the ban on social media. One teen wrote: “Good intentions, bad execution. This will make our generation clueless about internet safety… Social media is how teenagers express themselves. This ban silences our voices.” Another pointed out the easy loophole: “Bypassing this ban is as easy as using a free VPN. Governments don’t care about safety — they want control.” But one adult user disagreed: “Everyone against the ban seems to be an actual child. I got my first smartphone at 20. My parents were right — early exposure isn’t always good.” This generational divide is at the heart of the debate.

Brands, Marketers, and Schools Brace for Impact

Bindu Sharma, Founder of World One Consulting, highlighted the global implications: “Ten of the biggest platforms were ordered to block children… The world is watching how this plays out.” If the ban succeeds, brands may rethink how they target younger audiences. If it fails, digital regulation worldwide may need reimagining.

Where Does This Leave the World?

Australia’s decision to ban social media for children under 16 is bold, controversial, and rooted in good intentions. It could reshape how societies view childhood, technology, and digital rights. But as critics note, ban on social media platforms can also create unintended consequences, from delinquency to digital illiteracy. What’s clear is this: Australia has started a global conversation that’s no longer avoidable. As one LinkedIn user concluded: “Safety of the child today is assurance of the safety of society tomorrow.”

Coupang CEO Resigns, a headline many in South Korea expected, but still signals a major moment for the country’s tech and e-commerce landscape. Coupang Corp. confirmed on Wednesday that its CEO, Park Dae-jun, has stepped down following a massive Coupang data breach that exposed the personal information of 33.7 million people, almost two-thirds of the country. Park said he was “deeply sorry” for the incident and accepted responsibility both for the breach and for the company’s response. His exit, while formally described as a resignation, is widely seen as a forced departure given the scale of the fallout and growing anger among customers and regulators. To stabilize the company, Coupang’s U.S. parent, Coupang Inc., has appointed Harold Rogers, its chief administrative officer and general counsel, as interim CEO. The parent company said the leadership change aims to strengthen crisis management and ease customer concerns.

What Happened in the Coupang Data Breach

The company clarified that the latest notice relates to the previously disclosed incident on November 29 and that no new leak has occurred. According to Coupang’s ongoing investigation, the leaked information includes:

• Customer names and email addresses
• Full shipping address book details, such as names, phone numbers, addresses, and apartment entrance access codes
• Portions of the order information

Coupang emphasized that payment details, passwords, banking information, and customs clearance codes were not compromised. As soon as it identified the leak, the company blocked abnormal access routes and tightened internal monitoring. It is now working closely with the Ministry of Science and ICT, the National Police Agency, the Personal Information Protection Commission (PIPC), the Korea Internet & Security Agency (KISA), and the Financial Supervisory Service.

Phishing, Smishing, and Impersonation Alerts

Coupang warned customers to be extra cautious as leaked data can fuel impersonation scams. The company reminded users that:

• Coupang never asks customers to install apps via phone or text.
• Unknown links in messages should not be opened.
• Suspicious communications should be reported to 112 or the Financial Supervisory Service.
• Customers must verify messages using Coupang’s official customer service numbers.

Users who stored apartment entrance codes in their delivery address book were also urged to change them immediately. The company also clarified that delivery drivers rarely call customers unless necessary to access a building or resolve a pickup issue, a small detail meant to help people recognize potential scam attempts.

Coupang CEO Resigns as South Korea Toughens Cyber Rules

The departure of CEO Park comes at a time when South Korea is rethinking how corporations respond to data breaches. The government’s 2025 Comprehensive National Cybersecurity Strategy puts direct responsibility on CEOs for major security incidents. It also expands CISOs' authority, strengthens IT asset management requirements, and gives chief privacy officers greater influence over security budgets. This shift follows other serious breaches, including SK Telecom’s leak of 23 million user records, which led to a record 134.8 billion won fine. Regulators are now considering fines of up to 1.2 trillion won for Coupang, roughly 3% of its annual sales, under the Personal Information Protection Act. The company also risks losing its ISMS-P certification, a possibility unprecedented for a business of its size.

Industry Scramble After a Coupang Data Breach of This Scale

A Coupang Data breach affecting tens of millions of people has sent shockwaves across South Korea’s corporate sector. Authorities have launched emergency inspections of 1,600 ISMS-certified companies and begun unannounced penetration tests. Security vendors say Korean companies are urgently adding multi-factor authentication, AI-based anomaly detection, insider threat monitoring, and stronger access controls. Police naming a former Chinese Coupang employee as a suspect has intensified focus on insider risk. Government agencies, including the National Intelligence Service, are also working with private partners to shorten cyber-incident analysis times from 14 days to 5 days using advanced AI forensic labs.

Looking Ahead

With the Coupang CEO's resignation development now shaping the company’s crisis trajectory, Coupang faces a long road to rebuilding trust among users and regulators. The company says its teams are working to resolve customer concerns quickly, but the broader lesson is clear: cybersecurity failures now carry real consequences, including at the highest levels of leadership.

Polish police have detained three Ukrainian citizens after discovering a cache of sophisticated hacking and spy-detection equipment in their vehicle. The men, aged 39, 42, and 43, were stopped by officers from the Warsaw Śródmieście district during a routine traffic control on Senatorska Street. The investigation revealed tools capable of interfering with IT systems and committing serious cyber-related crimes. During the stop, the officers checked the men’s identification and noticed signs of nervousness. In interviews, the suspects admitted to "traveling around Europe," having just arrived in Poland and planning to head to Lithuania. The vehicle was subsequently searched thoroughly, uncovering a range of equipment including:

• Advanced FLIPPER hacking tools
• Spy device detectors
• Antennas capable of disrupting IT systems
• Laptops and portable hard drives
• SIM cards and routers
• Cameras and other electronic devices

The items were considered potentially dangerous to the country’s strategic IT and telecommunications infrastructure.

Evidence Analysis and Investigation by Polish police

All seized electronic devices were handed over to the Warsaw Central Bureau for Combating Cybercrime (CBZC) for examination. Although the data storage devices were encrypted, investigators were able to decode and gather evidence thanks to swift action from the CBZC. During further questioning, the suspects claimed to be IT specialists. However, their answers were inconsistent, and they struggled to explain the purpose of the equipment. At times, they pretended not to understand English when asked specific questions. Criminal investigators from Warsaw’s Property Crime Department are exploring the circumstances surrounding their entry into Poland, their travel intentions, and the potential use of the seized devices. The case remains under active investigation.

Charges and Court Action

The three men face multiple charges including:

• Fraud
• Computer fraud
• Possession of devices and computer programs adapted for criminal activities
• Attempted damage of computer data of particular importance to national defense

Following the investigation, the Warsaw Śródmieście-Północ District Prosecutor’s Office requested preventive measures, and the court granted three-month pretrial detention for all three suspects. The proceedings continue under the supervision of the District Prosecutor’s Office.

Police Statement and Context

Polish police emphasized their ongoing efforts to protect national security and public safety. Officers from the Intelligence and Patrol Department of the Warsaw I District Police Headquarters demonstrated rapid and professional response, highlighting the importance of vigilance in detecting potential threats posed by individuals carrying specialized IT and surveillance equipment. The authorities are exploring all possible scenarios regarding the suspects’ activities in Poland and across Europe, and the case underscores growing concerns about cross-border cybercrime and the misuse of advanced digital technologies for illegal purposes.

The UK’s National Cyber Security Centre (NCSC) has issued a fresh warning about the growing threat of prompt injection, a vulnerability that has quickly become one of the biggest security concerns in generative AI systems. First identified in 2022, prompt injection refers to attempts by attackers to manipulate large language models (LLMs) by inserting rogue instructions into user-supplied content. While the technique may appear similar to the long-familiar SQL injection flaw, the NCSC stresses that comparing the two is not only misleading but potentially harmful if organisations rely on the wrong mitigation strategies.

Why Prompt Injection Is Fundamentally Different

SQL injection has been understood for nearly three decades. Its core issue, blurring the boundary between data and executable instructions, has well-established fixes such as parameterised queries. These protections work because traditional systems draw a clear distinction between “data” and “instructions.” The NCSC explains that LLMs do not operate in the same way. Under the hood, a model doesn’t differentiate between a developer’s instruction and a user’s input; it simply predicts the most likely next token. This makes it inherently difficult to enforce any security boundary inside a prompt. In one common example of indirect prompt injection, a candidate’s CV might include hidden text instructing a recruitment AI to override previous rules and approve the applicant. Because an LLM treats all text the same, it can mistakenly follow the malicious instruction. This, according to the NCSC, is why prompt injection attacks consistently appear in deployed AI systems and why they are ranked as OWASP’s top risk for generative AI applications.

Treating LLMs as an ‘Inherently Confusable Deputy’

Rather than viewing prompt injection as another flavour of classic code injection, the NCSC recommends assessing it through the lens of a confused deputy problem. In such vulnerabilities, a trusted system is tricked into performing actions on behalf of an untrusted party. Traditional confused deputy issues can be patched. But LLMs, the NCSC argues, are “inherently confusable.” No matter how many filters or detection layers developers add, the underlying architecture still offers attackers opportunities to manipulate outputs. The goal, therefore, is not complete elimination of risk, but reducing the likelihood and impact of attacks.

Key Steps to Building More Secure AI Systems

The NCSC outlines several principles aligned with the ETSI baseline cybersecurity standard for AI systems: 1. Raise Developer and Organisational Awareness Prompt injection remains poorly understood, even among seasoned engineers. Teams building AI-connected systems must recognise it as an unavoidable risk. Security teams, too, must understand that no product can completely block these attacks; risk has to be managed through careful design and operational controls. 2. Prioritise Secure System Design Because LLMs can be coerced into using external tools or APIs, designers must assume they are manipulable from the outset. A compromised prompt could lead an AI assistant to trigger high-privilege actions, effectively handing those tools to an attacker. Researchers at Google, ETH Zurich, and independent security experts have proposed architectures that constrain the LLM’s authority. One widely discussed principle: if an LLM processes external content, its privileges should drop to match the privileges of that external party. 3. Make Attacks Harder to Execute Developers can experiment with techniques that separate “data” from expected “instructions”, for example, wrapping external input in XML tags. Microsoft’s early research shows these techniques can raise the barrier for attackers, though none guarantee total protection. The NCSC warns against simple deny-listing phrases such as “ignore previous instructions,” since attackers can easily rephrase commands. 4. Implement Robust Monitoring A well-designed system should log full inputs, outputs, tool integrations, and failed API calls. Because attackers often refine their attempts over time, early anomalies, like repeated failed tool calls, may provide the first signs of an emerging attack.

A Warning for the AI Adoption Wave

The NCSC concludes that relying on SQL-style mitigations would be a serious mistake. SQL injection saw its peak in the early 2010s after widespread adoption of database-driven applications. It wasn’t until years of breaches and data leaks that secure defaults finally became standard. With generative AI rapidly embedding itself into business workflows, the agency warns that a similar wave of exploitation could occur, unless organisations design systems with prompt injection risks front and center.

The National Investigation Headquarters of the National Police Agency has arrested four suspects involved in a major IP Camera Hacking case that resulted in the theft and sale of sensitive video footage from more than 120,000 devices. The police said the suspects edited the stolen footage and distributed illegally filmed material and other sexual exploitation material on an overseas website, causing serious privacy violations for victims. Authorities have launched wider investigations into website operators, content buyers, and viewers, while also beginning large-scale victim protection efforts to stop further harm.

IP Camera Hacking Suspects Sold Stolen Video Files

According to police, the four suspects, identified as B, C, D, and E, carried out extensive hacking activities targeting tens of thousands of IP cameras installed in homes and businesses. Many cameras were protected with weak passwords, such as repeated characters or simple number sequences.

• Suspect B hacked around 30,000 cameras, edited the stolen footage into 545 videos, and earned virtual assets worth about 35 million won.
• Suspect C created 648 files from around 70,000 hacked devices, earning about 18 million won.
• Their videos made up 62% of all content uploaded on the illegal overseas website (Site A) in the past year.
• Suspect D hacked about 15,000 cameras and stored child and youth sexual exploitation material.
• Suspect E hacked 136 cameras but did not distribute any content.

Police said that no profits remained at the time of arrest, and the case has been forwarded to the National Tax Service for additional legal action.

Police Investigating Operators, Purchasers, and Viewers of Illegally Filmed Material

The investigation extends to the operator of Site A, which hosted illegally filmed material from victims in several countries. Police are working with foreign investigative agencies to identify and take action against the operator. Individuals who purchased sexually exploitative material, including illegally filmed material, are also under investigation. Three buyers have already been arrested. The police confirmed that viewers of such material will also face legal consequences under the Sexual Violence Punishment Act. To prevent further exposure, police have asked the Broadcasting Media and Communications Deliberation Committee to block access to Site A and are coordinating with international partners to shut down the platform.

Security Measures Issued After Large-Scale IP Camera Hacking Damage

Investigators have directly notified victims through visits, phone calls, and letters, guiding them on how to change passwords and secure their devices. The police are working with the Ministry of Science and ICT and major telecom companies to identify vulnerable IP cameras and inform users quickly. Users are being advised to strengthen passwords, enable two-factor authentication, and keep device software updated. Additionally, the Personal Information Protection Commission is assisting in identifying high-risk cases to prevent further leaks of sensitive videos.

Protection for Victims and Strong Action Against Secondary Harm

Authorities are prioritizing support for victims of illegally filmed material and sexual exploitation material. Victims can receive counseling, assistance with deleting harmful content, and help blocking its spread through the Digital Sex Crime Victim Support Center. Police stressed that strict action will also be taken against individuals who repost, share, or store such material. Park Woo-hyun, Cyber Investigation Director at the National Police Agency, emphasized the seriousness of these crimes, stating: “IP Camera Hacking and sexually exploitative material, including illegally filmed content, cause enormous pain to victims, and we will actively work to eradicate these crimes through strong investigation.” He added, “Illegal filming videos — including possessing them — is a serious crime, and we will investigate such acts firmly and without hesitation.”

The CJEU ruling by the Court of Justice of the European Union on Tuesday has made it clear that online marketplaces are responsible for the personal data that appears in advertisements on their platforms. The Court of Justice of the European Union decision makes clear that platforms must get consent from any person whose data is shown in an advertisement, and must verify ads before they go live, especially where sensitive data is involved. The CJEU ruling comes from a 2018 incident in Romania. A fake advertisement on the classifieds website publi24.ro claimed a woman was offering sexual services. The post included her photos and phone number, which were used without her permission. The operator of the site, Russmedia Digital, removed the ad within an hour, but by then it had already been copied to other websites. The woman said the ad harmed her privacy and reputation and took the company to court. Lower courts in Romania gave different decisions, so the case was referred to the Court of Justice of the European Union for clarity. The CJEU has now confirmed that online marketplaces are data controllers under the GDPR for the personal data contained in ads on their sites.

CJEU Ruling: What Online Marketplaces Must Do Now

The court said that marketplace operators must take more responsibility and cannot rely on old rules that protect hosting services from liability. From now on, platforms must:

• Check ads before publishing them when they contain personal or sensitive data.
• Confirm that the person posting the ad is the same person shown in the ad, or make sure the person shown has given explicit consent.
• Refuse ads if consent or identity verification cannot be confirmed.
• Put measures in place to help prevent sensitive ads from being copied and reposted on other websites.

These steps must be part of the platform’s regular technical and organisational processes to comply with the GDPR.

What This Means for Platforms Across The EU

Legal teams at Pinsent Masons warned the decision “will likely have major implications for data protection across the 27 member states.” Nienke Kingma of Pinsent Masons said the ruling is important for compliance, adding it is “setting a new standard for data protection compliance across the EU.” Thijs Kelder, also at Pinsent Masons, said: “This judgment makes clear that online marketplaces cannot avoid their obligations under the GDPR,” and noted the decision “increases the operational risks on these platforms,” meaning companies will need stronger risk management. Daphne Keller of Stanford Law School warned about wider effects on free expression and platform design, noting the ruling “has major implications for free expression and access to information, age verification and privacy.”

Practical Impact

The CJEU ruling decision marks a major shift in how online marketplaces must operate. Platforms that allow users to post adverts will now have to rethink their processes, from verifying identities and checking personal data before an ad goes live to updating their terms and investing in new technical controls. Smaller platforms may feel the pressure most, as the cost of building these checks could be significant. What happens next will depend on how national data protection authorities interpret the ruling and how quickly companies can adapt. The coming months will reveal how verification should work in practice, what measures count as sufficient protection against reposting, and how platforms can balance these new duties with user privacy and free expression. The ruling sets a strict new standard, and its real impact will become clearer as regulators, courts, and platforms begin to implement it.

FTC action takes center stage as the U.S. Federal Trade Commission has announced strong enforcement steps against education technology (Edtech) provider Illuminate Education, following a major data breach that exposed the personal information of more than 10 million students across the United States. The agency said the company failed to implement reasonable security measures despite promising schools and parents that student information was protected.

Why the Agency Intervened

FTC complaint outlines a series of allegations against the Wisconsin-based company, which provides cloud-based software tools for schools. According to the complaint, Illuminate Education claimed it used industry-standard practices to safeguard student information but failed to put in place basic security controls. The Illuminate Education data breach incident dates back to December 2021 when a hacker accessed the company’s cloud databases using login credentials belonging to a former employee who had left the company more than three years earlier. This lapse allowed unauthorized access to data belonging to 10.1 million students, including email addresses, home addresses, dates of birth, academic records, and sensitive health information. FTC officials said the company ignored warnings as early as January 2020, when a third-party vendor alerted them to several vulnerabilities in their systems. The data security failures included weak access controls, gaps in threat detection, and a lack of proper vulnerability monitoring and patch management. The agency also noted that student data was stored in plain text until at least January 2022, increasing the severity of the breach.

FTC Action: Requirements Under the Proposed Order

As part of the proposed settlement, the FTC will require Illuminate Education to adopt a comprehensive information security program and follow stricter privacy obligations. The proposed FTC order includes several mandatory steps:

• Deleting any personal information that is no longer required for service delivery.
• Following a transparent, publicly available data retention schedule that explains why data is collected and when it will be deleted.
• Implementing a detailed information security program to protect the confidentiality and integrity of personal information.
• Notifying the FTC when the company reports a data breach to any federal, state, or local authority.

The order also prohibits the company from misrepresenting its data security practices or delaying breach notifications to school districts and families. The FTC said Illuminate had waited nearly two years before informing some districts about the breach, impacting more than 380,000 students. The Commission has voted unanimously to advance the complaint and proposed order for public comment. It will be published in the Federal Register, where stakeholders can share feedback for 30 days before the FTC decides whether to finalize the consent order.

FTC Action and State-Level Enforcement

Alongside the federal enforcement, the state data breach settlement adds another layer of accountability. Attorneys General from California, Connecticut, and New York recently announced a $5.1 million settlement with Illuminate Education for failing to adequately protect student data during the same 2021 cyber incident. California will receive $3.25 million in civil penalties, and the settlement includes strict requirements designed to improve the company’s cybersecurity safeguards. With more than 434,000 California students affected, this marks one of the largest enforcement actions under the California K-12 Pupil Online Personal Information Protection Act (KOPIPA). State officials emphasized that educational technology companies must prioritize the security of children’s data, which often includes highly sensitive information like medical details and learning records.

The Union government of India, the country’s central federal administration, on Monday confirmed several instances of GPS spoofing near Delhi’s Indira Gandhi International Airport (IGIA) and other major airports. Officials said that despite the interference, all flights continued to operate safely and without disruption. The clarification came after reports pointed to digital interference affecting aircraft navigation systems during approach procedures at some of the busiest airports in the country.

What Is GPS Spoofing?

GPS spoofing is a form of signal interference where false Global Positioning System (GPS) signals are broadcast to mislead navigation systems. For aircraft, it can temporarily confuse onboard systems about their true location or altitude. While pilots and air traffic controllers are trained to manage such situations, repeated interference requires immediate reporting and stronger safeguards.

Government Confirms Incidents at Multiple Airports

India’s Civil Aviation Minister Ram Mohan Naidu informed Parliament that several flights approaching Delhi reported GPS spoofing while using satellite-based landing procedures on Runway 10. In a written reply to the Rajya Sabha, the minister confirmed that similar signal interference reports have been received from several India’s major airports, including Mumbai, Kolkata, Hyderabad, Bengaluru, Amritsar, and Chennai. He explained that when GPS spoofing was detected in Delhi, contingency procedures were activated for flights approaching the affected runway. The rest of the airport continued functioning normally through conventional ground-based navigation systems, preventing any impact on overall flight operations.

Safety Procedures and New Reporting System

The Directorate General of Civil Aviation (DGCA) has issued a Standard Operating Procedure (SOP) for real-time reporting of GPS spoofing and Global Navigation Satellite System (GNSS) interference around IGI Airport. The minister added that since DGCA made reporting mandatory in November 2023, regular interference alerts have been received from major airports across the country. These reports are helping regulators identify patterns and respond more quickly to any navigation-related disturbances. India continues to maintain a network of traditional navigation and surveillance systems such as Instrument Landing Systems (ILS) and radar. These systems act as dependable backups if satellite-based navigation is interrupted, following global aviation best practices.

Airports on High Cyber Vigilance

The government said India is actively engaging with global aviation bodies to stay updated on the latest technologies, methods, and safety measures related to aviation cybersecurity. Meanwhile, the Airports Authority of India (AAI) is deploying advanced cybersecurity tools across its IT infrastructure to strengthen protection against potential digital threats. Although the cyber-related interference did not affect flight schedules, the confirmation of GPS spoofing attempts at major airports has led to increased monitoring across key aviation hubs. These airports handle millions of passengers every year, making continuous vigilance essential.

Recent Aviation Challenges

The GPS spoofing reports come shortly after a separate system failure at Delhi Airport in November, which caused major delays. That incident was later linked to a technical issue with the Automatic Message Switching System (AMSS) and was not related to cyber activity. The aviation sector also faced another challenge recently when Airbus A320 aircraft required an urgent software update. The A320, widely used in India, led to around 388 delayed flights on Saturday. All Indian airlines completed the required updates by Sunday, allowing normal operations to resume. Despite reports of interference, the Union government emphasised that there was no impact on passenger safety or flight operations. Established procedures, trained crews, and reliable backup systems ensured that aircraft continued operating normally. Authorities said they will continue monitoring navigation systems closely and strengthening cybersecurity measures across airports to safeguard India’s aviation network.

South Korean e-commerce giant Coupang has confirmed a massive data breach that exposed personal information belonging to nearly 33.7 million customers, making it one of the country’s largest cybersecurity incidents in recent years. The company publicly apologised over the weekend, acknowledging that the Coupang data breach stemmed from unauthorised access that may have continued undetected for months. Park Dae-jun, CEO of Coupang, issued a statement on the company’s website saying, “We sincerely apologise once again for causing our customers inconvenience.” The firm, often referred to as the “Amazon of South Korea,” said it is cooperating with law enforcement and regulatory authorities as investigations continue.

Coupang Data Breach Went Undetected for Months

According to Coupang, the unauthorised access began on June 24 through overseas servers but was only discovered on November 18. The company initially believed only about 4,500 accounts were affected. However, further analysis revealed that 33.7 million users had some form of delivery-related personal information exposed. The leaked data includes customer names, phone numbers, email addresses, shipping addresses, and certain order histories. Coupang stressed that no payment card information, financial data, or login credentials were compromised. The company has 24.7 million active commercial users as of the third quarter, which means the Coupang data breach covers almost its entire user base.

Former Employee Identified as Main Suspect

South Korean police confirmed that they have secured the IP address used in the attack and have identified the suspect behind the breach. Investigators say the individual is a former Coupang employee, a Chinese national who has already left South Korea. “We are analysing server logs submitted by Coupang. We have secured the IP used by the suspect and are tracking them down,” an official at the Seoul Metropolitan Police said. Authorities are also verifying whether the individual is linked to an email sent to Coupang threatening to reveal the stolen information.

Government Steps In as Public Concern Rises

The Ministry of Science and ICT held an emergency meeting on Sunday to review the scale of the incident and assess whether Coupang violated any personal information protection rules. Minister Bae Kyung-hoon said regulators are closely monitoring the company’s handling of the breach. The Korea Internet & Security Agency (KISA) issued a public advisory warning users to remain alert for phishing attempts or scam messages pretending to be from Coupang. So far, police have not received reports of smishing or voice phishing linked to the breach, but authorities say preparations are in place in case the situation escalates. The Coupang data breach adds to growing frustration among South Korean consumers, who have witnessed a series of major data leaks this year. SK Telecom and other large companies have faced similar cybersecurity incidents, increasing pressure on businesses to strengthen internal security controls.

Coupang Issues Customer Guidance

The company has started notifying impacted customers through email and text messages. In an FAQ shared with users, Coupang clarified what information was exposed and what steps customers should take. The company reiterated that payment, card details, and passwords were not affected. Coupang also explained that it notified authorities immediately after confirming the issue and is committed to updating customers as the investigation progresses. For now, the company says users do not need to take additional action beyond remaining cautious of unsolicited calls, links or messages claiming to be from Coupang. Police are verifying the suspect’s identity, travel history, and potential motives. They are also examining whether the individual acted alone or was linked to a wider scheme. The case has now moved from an internal inquiry to a full-scale criminal investigation. As authorities continue to analyse server logs and cross-border activity, concerns remain that the scale or impact of the Coupang data breach could grow. For now, officials say there is no evidence of financial misuse, but investigations are still in early stages.

fCyber Monday scams in 2025 are increasing at a time when phishing, credential theft, and financial cybercrime are already at some of the highest levels seen this year. Attackers know shoppers are distracted by discounts and rushed checkout decisions, and they are using this moment to launch more convincing scams than ever. In November, the National Cyber Security Centre (NCSC) warned that phishing emails are becoming extremely realistic. One recent example involved emails pretending to be from the Canton of Zurich. The messages copied the government’s logo, layout, and tone, pressuring people to update information for “new cryptocurrency tax rules.” Victims were taken to a fake website that looked exactly like the real portal. After entering personal and financial details, they were redirected to the genuine website, so nothing felt suspicious. This pattern isn’t limited to Europe. Microsoft’s Digital Defense Report 2025 found that 52% of cyberattacks are now financially motivated, while only 4% relate to espionage. The report shows attackers are more focused on quick money, data theft, and extortion than anything else. Japan has also seen a spike. The Financial Services Agency reported nearly USD 700 million in unauthorized trades since March, after cybercriminals stole login details from fake securities websites and infostealer malware. Attackers then sent follow-up phishing emails pretending to be regulators to lure victims again, showing how far they go to keep the scam going. With these global trends already in motion, Cyber Monday scams in 2025 are expected to hit even harder, using fake deals, phishing emails, and fraudulent apps to trick shoppers during the busiest online shopping week of the year.

Fake Deals: The Most Common Cyber Monday Scam

Fake deals continue to be one of the biggest Cyber Monday scams. Criminals create websites that look identical to popular shopping platforms. These fake pages advertise impossible discounts and use professional product images to appear genuine. This year, attackers are using:

• Paid ads to push fake “Cyber Monday” offers
• AI-generated product photos
• Fake customer support chatboxes
• Websites designed to collect card details and passwords

Many of these sites even send fake confirmation emails to make the purchase look real.

Phishing Emails Designed for Holiday Shoppers

Phishing emails increase sharply during Cyber Monday week because shoppers expect order updates, delivery alerts, and discount codes. Attackers take advantage of this by sending emails that look like they’re from Amazon, courier services, or major retailers. Common tactics include:

• “Your order has been delayed” links
• Payment failure warnings
• Early-access Cyber Monday discounts
• QR codes leading to fake login pages

These messages often use the correct logos and a domain name that looks almost identical to the real brand, making them harder to notice.

Fake Mobile Apps Posing as Shopping Tools

Another growing Cyber Monday scam involves fake mobile apps disguised as coupon apps, cashback tools, or sale trackers. Once installed, these apps can access personal details and intercept OTPs. Some harmful apps can:

• Read text messages
• Capture saved card information
• Monitor keystrokes
• Send fake push notifications

Security researchers have also found fake apps pretending to be BNPL (Buy Now Pay Later) services, which become very active during Cyber Monday sales.

AI-Powered Social Media Scams

Social media is now one of the biggest sources of Cyber Monday scams. Attackers use AI to create fake influencer posts, discount videos, and promotional codes that link to malicious websites. These scams spread quickly because criminals use thousands of fake likes and comments to make the posts look trustworthy. Even after Cyber Monday ends, the impact continues. Stolen passwords and card details are used for:

• Account takeovers
• Unauthorized purchases
• Reward points theft
• Identity fraud

Cybercriminals also test stolen password combinations across multiple websites, knowing many people reuse the same credentials.

How Shoppers Can Stay Safe

Following are the recommendations to avoid Cyber Monday scams in 2025. These easy habits help reduce risk during the holiday shopping rush.

• Double-check website URLs
• Avoid deals sent only through social media DMs
• Download apps only from official stores
• Turn on two-factor authentication
• Be careful with QR codes in emails
• Never enter card details on unfamiliar sites

Cyber Monday scams in 2025 are becoming harder to spot as criminals use fake deals, phishing emails, and fraudulent apps to target busy shoppers. With global phishing incidents rising and financial cybercrime at record highs, staying alert is the best way to shop safely this season.

A new round of cyberattacks against the US has raised concerns about hidden attempts to access urban infrastructure systems, according to an update from the Center for Countering Disinformation. Investigators found that the attackers relied on SocGholish and RomCom, two tools widely used in cybercrime. While these tools are not new, their deployment in this case suggests a deliberate effort to imitate criminal activity and make attribution significantly harder. Security analysts say this approach has become more common in cyberattacks against the US, where Russian special services attempt to blur the line between criminal campaigns and state-backed operations. By doing so, they complicate forensic analysis and slow the response of US intelligence agencies, buying themselves more time inside targeted networks.

Cyberattacks Against the US Engineering Firm

The breached engineering company works closely with contractors that operate water supply networks, transportation systems, and emergency response services. During the intrusion, hackers reportedly accessed information about internal workflows and critical access points linked to these sectors. This type of information is valuable for anyone looking to understand how US infrastructure is managed, maintained, and defended. Even without causing immediate disruption, gaining insight into these processes can help adversaries identify weak spots or plan future interference. The breach also shows how third-party contractors continue to be an attractive entry point for attackers studying the broader ecosystem of American infrastructure.

Use of SocGholish–RomCom Chain Raises Attribution Concerns

The use of the SocGholish–RomCom chain is notable because it is frequently associated with financially motivated cybercrime. In this case, however, analysts say its deployment looks more like a cover than a coincidence. By leaning on familiar criminal tools, Russian-linked groups can:

• Disguise the true nature of the operation
• Blend in with regular cybercrime traffic
• Delay the time it takes to trace the activity
• Force investigators to sift through layers of misleading indicators

This tactic has effectively created a “fog” around cyberattacks against the US, making it harder to quickly determine whether an incident is routine criminal activity or something more coordinated.

Possible Motives

Targeting an engineering firm suggests the attackers were not simply looking for data to sell. Analysts believe the motive was reconnaissance, specifically, understanding how infrastructure systems are structured and how contractors manage their access privileges. Such information could be used in the future to exploit vulnerabilities or carry out sabotage. Experts also point out that even an incomplete attack offers useful insights into how American cybersecurity teams respond, how fast they contain threats, and what defensive tools they rely on. The report also comes as international partners continue stepping up their own cybersecurity efforts. The Netherlands recently committed €10 million to join the UK’s cyber program supporting Ukraine, citing growing digital threats. Canada, meanwhile, expanded its sanctions to include more than 100 vessels from Russia’s “shadow fleet” and several organizations connected to the country’s cyber infrastructure. The move is part of a wider effort to limit the networks and resources that support Russian cyber operations.

OpenAI has confirmed a security incident involving Mixpanel, a third-party analytics provider used for its API product frontend. The company clarified that the OpenAI Mixpanel security incident stemmed solely from a breach within Mixpanel’s systems and did not involve OpenAI’s infrastructure. According to the initial investigation, an attacker gained unauthorized access to a portion of Mixpanel’s environment and exported a dataset that included limited identifiable information of some OpenAI API users. OpenAI stated that users of ChatGPT and other consumer-facing products were not impacted.

OpenAI Mixpanel Security Incident: What Happened

The OpenAI Mixpanel security incident originated on November 9, 2025, when Mixpanel detected an intrusion into a section of its systems. The attacker successfully exported a dataset containing identifiable customer information and analytics data. Mixpanel notified OpenAI on the same day and shared the affected dataset for review on November 25. OpenAI emphasized that despite the breach, no OpenAI systems were compromised, and sensitive information such as chat content, API requests, prompts, outputs, API keys, passwords, payment details, government IDs, or authentication tokens were not exposed. The exposed dataset was strictly limited to analytics data collected through Mixpanel’s tracking setup on platform.openai.com, the frontend interface for OpenAI’s API product.

Information Potentially Exposed in the Mixpanel Data Breach

OpenAI confirmed that the type of information potentially included in the dataset comprised:

• Names provided on API accounts
• Email addresses associated with API accounts
• Coarse location data (city, state, country) based on browser metadata
• Operating system and browser information
• Referring websites
• Organization or User IDs linked to API accounts

OpenAI noted that the affected information does not include chat content, prompts, responses, or API usage data. Additionally, ChatGPT accounts, passwords, API keys, financial details, and government IDs were not involved in the incident.

OpenAI’s Response and Security Measures

In response to the Mixpanel security incident, OpenAI immediately removed Mixpanel from all production services and began reviewing the affected datasets. The company is actively notifying impacted organizations, admins, and users through direct communication. OpenAI stated that it has not found any indication of impact beyond Mixpanel’s systems but continues to closely monitor for signs of misuse. To reinforce user trust and strengthen data protection, OpenAI has:

• Terminated its use of Mixpanel
• Begun conducting enhanced security reviews across all third-party vendors
• Increased security requirements for partners and service providers
• Initiated a broader review of its vendor ecosystem

OpenAI reiterated that trust, security, and privacy remain central to its mission and that transparency is a priority when addressing incidents involving user data.

Phishing and Social Engineering Risks for Impacted Users

While the exposed information does not include highly sensitive data, OpenAI warned that the affected details, such as names, email addresses, and user IDs, could be leveraged in phishing or social engineering attacks. The company urged users to remain cautious and watch for suspicious messages, especially those containing links or attachments. Users are encouraged to:

• Verify messages claiming to be from OpenAI
• Be wary of unsolicited communication
• Enable multi-factor authentication (MFA) on their accounts
• Avoid sharing passwords, API keys, or verification codes

OpenAI stressed that the company never requests sensitive credentials through email, text, or chat. OpenAI confirmed it will provide further updates if new information emerges from ongoing investigations. Impacted users can reach out at mixpanelincident@openai.com for support or clarification.

Japanese beverage giant Asahi Group Holdings has confirmed new findings in its ongoing investigation into the Asahi Group cyberattack, revealing that personal information linked to around 2 million customers, employees, and external contacts may have been exposed. The update follows a detailed forensic review of the system disruption that struck its domestic servers on September 29. President and Group CEO Atsushi Katsuki addressed the media in Tokyo, offering an apology while outlining the company’s path toward full recovery. Katsuki said Asahi expects to resume automated orders and shipments by December, with full logistics normalization anticipated by February.

Asahi Group Cyberattack Investigation Reveals Scale of Data Exposure

According to the company, the Asahi Group cyberattack involved ransomware, which encrypted files across multiple servers and some company-issued PCs. Asahi confirmed that while systems in Japan were affected, no impact has been identified on overseas operations. A hacker group known as Qilin has claimed responsibility on the dark web, stating it had stolen internal documents and employee data. Asahi, however, reported no evidence that personal data has been published online. Katsuki also clarified that no ransom payment was made. The attack previously forced Asahi to delay its January–September financial results, initially scheduled for November 12.

Timeline and Technical Findings

Asahi’s latest report outlines the internal timeline and technical assessment:

• At 7:00 a.m. JST on September 29, systems began malfunctioning, and encrypted files were soon discovered.
• By 11:00 a.m. JST, the company disconnected its network and isolated the data center to contain the attack.
• Investigators later revealed the attacker gained entry via network equipment at a Group site, deploying ransomware simultaneously across multiple servers.
• Forensic reviews confirmed potential exposure of data stored on both servers and employee PCs.
• The impact remains limited to Japan-managed systems.

As part of regulatory requirements, Asahi submitted its final report to the Personal Information Protection Commission on November 26.

Details of Potentially Exposed Personal Information

As of November 27, the company has identified the following potentially affected groups and data types:

• Customer Service Center contacts from Asahi Breweries, Asahi Soft Drinks, and Asahi Group Foods Name, gender, address, phone number, email address — 1,525,000 individuals
• External contacts receiving congratulatory or condolence telegrams Name, address, phone number — 114,000 individuals
• Employees and retirees Name, date of birth, gender, address, phone number, email address, other details — 107,000 individuals
• Family members of employees/retirees Name, date of birth, gender — 168,000 individuals

Asahi confirmed that no credit card information was included in the exposed data sets. The company has set up a dedicated helpline (0120-235-923) for concerned individuals.

System Restoration and Strengthened Cybersecurity Measures

Following the Asahi Group cyberattack, the company spent two months containing the incident, restoring essential systems, and reinforcing security defences. These measures include:

• A full forensic investigation by external cybersecurity experts
• Integrity verification of affected systems and devices
• Gradual restoration of systems confirmed to be secure

Preventive actions now underway include:

• Redesigned network communication routes and stricter connection controls
• Limiting internet-facing connections to secure zones
• Upgraded security monitoring for improved threat detection
• Revised backup strategies and refreshed business continuity plans
• Enhanced security governance through employee training and external audits

In his public statement, Katsuki said, “We apologize for any difficulties caused to our stakeholders by the recent system disruption. We are making every effort to restore systems quickly while strengthening information security across the Group.” He added that product shipments are being restored in phases as recovery progresses. With investigation findings now submitted to regulators and system restoration underway, the company aims to prevent any recurrence while reassuring customers and partners affected by the Asahi Group cyberattack.

Three London councils are responding to a major cybersecurity incident that has disrupted public services and triggered alerts across the capital. The Royal Borough of Kensington and Chelsea (RBKC), Westminster City Council (WCC), and Hammersmith and Fulham Council confirmed on Tuesday evening (November 25) that they were investigating a serious Account Takeover Fraud–related cyber issue affecting shared systems. The situation has raised concerns as local authorities increase monitoring and coordinate with national agencies to understand the scale of the London councils cyberattack.

London Councils Confirm Cybersecurity Incident

RBKC issued an official statement revealing that both its systems and those of Westminster City Council were impacted by what it described as a “cyber security issue.” The London councils cyberattack incident, detected early on Monday morning (November 24), prompted both councils to notify the UK Information Commissioner’s Office (ICO) and work closely with the National Cyber Security Centre (NCSC) and specialist cyber incident responders. Officials said the focus remains on securing systems, protecting data, and restoring essential services. The first public indication of disruption came when RBKC posted on X around 1pm on Monday, warning of “system issues” affecting online services. By Tuesday morning, the council described the situation as a “serious IT issue,” confirming wider service interruptions as investigations continued. [caption id="attachment_107162" align="aligncenter" width="488"] Source: X[/caption] WCC issued a similar update, explaining that its computer networks were temporarily shut down as a precaution. The council apologised to residents for the inconvenience but emphasised that immediate action was necessary to prevent further impact. “We are taking swift and effective action to bring all our systems back online as soon as possible,” the council stated on its website. Emergency contact numbers were provided for urgent issues.

Multiple London Authorities Heighten Threat Levels

In the wake of the London councils cyberattack, Hackney Council circulated an internal “urgent communication,” warning staff that intelligence indicated multiple London councils had been targeted by cyberattacks within the last 24 to 48 hours. As a result, the borough escalated its internal cyber threat level to Critical. Hackney officials have experience responding to major cybersecurity incidents, following a severe attack in 2020 that affected hundreds of thousands of residents and staff. Hammersmith and Fulham Council also reported that it had responded to a serious cybersecurity incident, although the local authority stated that, so far, there was no evidence that its systems had been breached. Across the affected boroughs, several IT systems, online portals, and phone lines remain disrupted. To maintain essential services, councils activated business continuity and emergency plans, prioritising support for vulnerable residents. Additional staff have been assigned to monitor phone lines and emails while restoration work continues.

Authorities Investigating Potential Data Exposure

RBKC and WCC noted that it is still too early to determine the root cause, the extent of the incident, or whether any personal data has been compromised. However, officials confirmed that investigations are underway to determine whether the attack involved techniques similar to Account Takeover Fraud or other targeted compromise attempts. “We don’t have all the answers yet,” RBKC said, “but we know people will have concerns, so we will be updating residents and partners further over the coming days.” Council IT teams worked overnight on Monday to apply several mitigation measures, and officials said they remain vigilant for any potential follow-up attempts.

National Agencies Monitoring the Situation

A spokesperson for the National Cyber Security Centre confirmed awareness of the incident and said the agency is “working to understand any potential impact.” The NCSC continues to support local authorities in managing the wider threat. The Metropolitan Police Cyber Crime Unit also confirmed it received a referral from Action Fraud on Monday following reports of a suspected cyber-attack against several London borough councils. “Enquiries remain in the early stages,” a spokesperson said, adding that no arrests have been made so far. All affected councils apologised for the disruption and urged residents to expect delays in accessing some services. They also committed to providing further updates as system recovery progresses. For concerns related to Westminster or Hammersmith and Fulham, residents were advised to contact those authorities directly.

The Account Takeover fraud threat is accelerating across the United States, prompting the Federal Bureau of Investigation (FBI) to issue a new alert warning individuals, businesses, and organizations of all sizes to stay vigilant. According to the FBI Internet Crime Complaint Center (IC3), more than 5,100 complaints related to ATO fraud have been filed since January 2025, with reported losses exceeding $262 million. The bureau warns that cyber criminals are increasingly impersonating financial institutions to steal money or sensitive information. As the annual Black Friday sale draws millions of shoppers online, the FBI notes that the surge in digital purchases creates an ideal environment for Account Takeover fraud. With consumers frequently visiting unfamiliar retail websites and acting quickly to secure limited-time deals, cyber criminals deploy fake customer support calls, phishing pages, and fraudulent ads disguised as payment or discount portals. The increased online activity during Black Friday makes it easier for attackers to blend in and harder for victims to notice red flags, making the shopping season a lucrative window for ATO scams.

How Account Takeover Fraud Works

In an ATO scheme, cyber criminals gain unauthorized access to online financial, payroll, or health savings accounts. Their goal is simple: steal funds or gather personal data that can be reused for additional fraudulent activities. The FBI notes that these attacks often start with impersonation, either of a financial institution’s staff, customer support teams, or even the institution’s official website. To carry out their schemes, criminals rely heavily on social engineering and phishing websites designed to look identical to legitimate portals. These tactics create a false sense of trust, encouraging account owners to unknowingly hand over their login credentials.

Social Engineering Tactics Increase in Frequency

The FBI highlights that most ATO cases begin with social engineering, where cyber criminals manipulate victims into sharing sensitive information such as passwords, multi-factor authentication (MFA) codes, or one-time passcodes (OTP). Common techniques include:

• Fraudulent text messages, emails, or calls claiming unusual activity or unauthorized charges. Victims are often directed to click on phishing links or speak to fake customer support representatives.
• Attackers posing as bank employees or technical support agents who convince victims to share login details under the guise of preventing fraudulent transactions.
• Scenarios where cyber criminals claim the victim’s identity was used to make unlawful purchases—sometimes involving firearms, and escalate the scam by introducing another impersonator posing as law enforcement.

Once armed with stolen credentials, criminals reset account passwords and gain full control, locking legitimate users out of their own accounts.

Phishing Websites and SEO Poisoning Drive More Losses

Another growing trend is the use of sophisticated phishing domains and websites that perfectly mimic authentic financial institution portals. Victims believe they are logging into their bank or payroll system, but instead, they are handing their details directly to attackers. The FBI also warns about SEO poisoning, a method in which cyber criminals purchase search engine ads or manipulate search rankings to make fraudulent sites appear legitimate. When victims search for their bank online, these deceptive ads redirect them to phishing sites that capture their login information. Once attackers secure access, they rapidly transfer funds to criminal-controlled accounts—many linked to cryptocurrency wallets—making transactions difficult to trace or recover.

How to Stay Protected Against ATO Fraud

The FBI urges customers and businesses to take proactive measures to defend against ATO fraud attempts:

• Limit personal information shared publicly, especially on social media.
• Monitor financial accounts regularly for missing deposits, unauthorized withdrawals, or suspicious wire transfers.
• Use unique, complex passwords and enable MFA on all accounts.
• Bookmark financial websites and avoid clicking on search engine ads or unsolicited links.
• Treat unexpected calls, emails, or texts claiming to be from a bank with skepticism.

What To Do If You Experience an Account Takeover

Victims of ATO fraud are advised to act quickly:

1. Contact your financial institution immediately to request recalls or reversals, and report the incident to IC3.gov.
2. Reset all compromised credentials, including any accounts using the same passwords.
3. File a detailed complaint at IC3.gov with all relevant information, such as impersonated institutions, phishing links, emails, or phone numbers used.
4. Notify the impersonated company so it can warn others and request fraudulent sites be taken down.
5. Stay informed through updated alerts and advisories published on IC3.gov.

SitusAMC, a major provider of back-end services for leading banks and lenders, has confirmed a SitusAMC data breach that resulted in the compromise of certain client and customer information. The SitusAMC data breach incident, discovered earlier this month, has raised concerns due to the company’s extensive role in mortgage origination, servicing, and compliance within the real-estate financing ecosystem. Responding to The Cyber Express team query, Michael Franco, Chief Executive Officer (CEO) of SitusAMC, said, “We recently became aware of a data security incident impacting certain of our systems. We promptly retained leading third-party experts, launched an investigation, and notified law enforcement. The incident has been contained and SitusAMC is fully operational. No encrypting malware was deployed on our systems. We are in direct contact with our clients about this matter. We remain focused on analyzing any potentially affected data and will provide updates directly to our clients as our investigation progresses.” According to the company’s disclosure, SitusAMC became aware of the incident on November 12, 2025, and later determined that specific information stored on its systems had been accessed without authorization. While the full scope of the SitusAMC data breach remains under investigation, the company stated that the impacted information includes corporate data associated with clients, such as accounting records and legal agreements, along with certain data belonging to clients’ customers. SitusAMC emphasized that the incident did not involve encrypting malware and that its operational services continue to run without disruption. External cybersecurity experts and federal law enforcement authorities are assisting in the ongoing investigation.

SitusAMC Data Breach Details

In its public notice, the company disclosed that upon detecting the incident, immediate steps were taken to investigate, contain, and secure its systems. The firm began working closely with third-party specialists and notified federal law enforcement to ensure a coordinated response. SitusAMC reiterated that although some information was compromised, all services remain fully operational. No ransomware activity or system encryption was detected, indicating that the attack did not follow the pattern of typical extortion-driven breaches. The company is continuing to analyze the impacted data and remains in close contact with affected clients. In response to the breach, SitusAMC implemented several additional security measures aimed at strengthening its environment against further threats. These steps include resetting credentials, disabling certain remote access tools, updating firewall rules, and enhancing internal security configurations. The company noted that it is still determining which specific services and products may have been affected. However, early assessments indicate that core business operations remain intact.

Impact on Client and Customer Data

The company confirmed that certain client business information was accessed during the incident. This includes internal corporate data and documentation related to client relationships. SitusAMC also stated that some customer information tied to clients may have been impacted, though the nature and extent of this exposure is still being assessed. SitusAMC assured stakeholders that it is working “around the clock” alongside its advisors to determine the full level of impact and will provide updates as the investigation progresses.

Customer Notification and Transparency

To maintain transparency, the company publicly released an example of the customer notification letter distributed on November 22, 2025. The letter outlines what occurred, the types of information potentially exposed, and the steps being taken to safeguard systems moving forward. [caption id="attachment_107113" align="aligncenter" width="1024"] Source: SitusAMC[/caption] In the letter, the company reiterated that the incident is contained, services remain fully operational, and no encrypting malware was used. Clients were encouraged to reach out to the company’s security team for additional queries.

The FBI has issued a fresh alert warning the public about a growing wave of IC3 impersonation scams, where fraudsters pose as officials from the Internet Crime Complaint Center (IC3) to deceive individuals into sharing sensitive information or paying fraudulent fees. According to the Bureau, more than 100 such cases were reported between December 2023 and February 2025, signaling a concerning rise in criminal attempts disguised as official outreach.

IC3 Impersonation Scams Are Increasing Nationwide

In its latest public communication, the FBI emphasized that the IC3 does not directly contact victims for money, personal data, or case updates. Yet, scammers continue to exploit the trust associated with the organization, using emails, phone calls, social media, and messaging apps to trick victims, often by claiming they have recovered previously lost funds. A particularly troubling variant of IC3 impersonation scams involves scammers posing as financial fraud victims online. They create fake female profiles, join support groups, and recommend contacting a supposed “Chief Director” of IC3 named Jaime Quin on Telegram. Once victims reach out, the scammer claims to have recovered their stolen money but uses this pretext to gather financial information and re-target victims who have already suffered losses.

How the Scam Works

Reports show that initial contact methods vary, but the tactic generally follows a predictable pattern:

• Scammers falsely claim to work with IC3 or the FBI.
• They offer assistance in recovering lost funds or say money has already been recovered.
• Once trust is gained, they request personal or financial details.
• Victims are then pressured into sending additional payments or revealing sensitive data.

Authorities reiterate that the Internet Crime Complaint Center does not charge fees, does not work with third-party recovery companies, and never reaches out to individuals via social platforms or messaging apps. [caption id="attachment_107108" align="aligncenter" width="975"] Source: FBI[/caption]

How to Protect Yourself

The FBI advises the public to stay vigilant and follow these safety guidelines:

• IC3 will never contact individuals directly via phone, social media, or email.
• Do not share personal or financial information with people you meet online or through unsolicited communication.
• Avoid sending money, cryptocurrency, or gift cards to unknown individuals.
• Be cautious of anyone claiming to be an IC3 representative, especially if they ask for payment.

Report Suspicious Activity Immediately

Victims are urged to report suspected fraud to ic3.gov, providing details such as communication methods, financial transaction records, and information about the individual or company involved. Individuals aged 60 and above who need help filing a complaint can contact the Department of Justice’s Elder Justice Hotline at 1-833-FRAUD-11.

Black Friday has evolved into one of the most attractive periods of the year, not just for retailers, but for cybercriminals too. As shoppers rush to grab limited-time deals, attackers exploit the surge in online activity through malware campaigns, phishing scams, payment fraud, and impersonation attacks. With threat actors using increasingly advanced methods, understanding the risks is essential for both shoppers and businesses preparing for peak traffic. This cybersecurity survival guide breaks down the most common Black Friday threats and offers practical steps to stay secure in 2025’s high-risk threat landscape.

Why Black Friday Is a Goldmine for Cybercriminals

Black Friday and Cyber Monday trigger massive spikes in online transactions, email promotions, digital ads, and account logins. This high-volume environment creates the perfect disguise for malicious activity. Attackers know users are expecting deal notifications, promo codes, and delivery updates, making them more likely to click without verifying legitimacy. Retailers also face increased pressure to scale infrastructure quickly, often introducing misconfigurations or security gaps that cybercriminals actively look for.

Common Black Friday Cyber Threats

1. Phishing & Fake Deal Emails: Cybercriminals frequently impersonate major retailers to push “exclusive” deals or false order alerts. These emails often contain malicious links aimed at stealing login credentials or credit card data.

2. Malware Hidden in Apps and Ads: Fake shopping apps and malicious ads spread rapidly during Black Friday.

3. Fake Retail Websites: Dozens of cloned websites appear each year, mimicking popular brands with nearly identical designs. These sites exist solely to steal payment information or personal data.

4. Payment Card Fraud & Credential Stuffing: With billions of login attempts occurring during Black Friday, attackers exploit weak or reused passwords to take over retail accounts, redeem loyalty points, or make fraudulent purchases.

5. Marketplace Scams: Fraudulent sellers on marketplaces offer unrealistic discounts, harvest information, and often never deliver the product. Some also use sophisticated social engineering tactics to manipulate buyers.

Cybersecurity Tips for Shoppers

• Verify Before You Click: Check URLs, sender domains, and website certificates. Avoid clicking on deal links from emails or messages.
• Enable Multi-Factor Authentication (MFA): MFA prevents unauthorized access even if an attacker steals your password.
• Avoid Public Wi-Fi: Unsecured networks can expose your transactions. Use mobile data or a VPN.
• Use Secure Payment Options: Virtual cards and digital wallets limit your exposure during a breach.
• Download Apps Only from Official Stores: Stay away from third-party downloads or promo apps not approved by Google or Apple.

Best Practices for Retailers

• Strengthen Threat Detection & Monitoring: Retailers must monitor unusual login behavior, bot traffic, and transaction spikes. Cyble’s Attack Surface and Threat Intelligence solutions help businesses identify fake domains, phishing lures, and malware campaigns targeting their brand.
• Secure Payment Infrastructure: Ensure payment systems are PCI-compliant, updated, and protected from card-skimming malware.
• Educate Customers: Proactively notify customers about known scams and impersonation risks, especially during high-traffic sales periods.

With malware, phishing, and fraud attempts rising sharply during the shopping season, awareness and proactive defense are essential. By staying vigilant and leveraging trusted cybersecurity tools, both shoppers and businesses can navigate Black Friday securely. See how Cyble protects retailers during high-risk shopping seasons. Book your free 20-minute demo now.

Salesforce has issued a new update on the ongoing Salesforce Gainsight security incident, confirming additional details about the unusual activity detected across Gainsight-published applications connected to the CRM platform. The company reiterated that the incident stemmed from the app’s external integration with Salesforce rather than any vulnerability in the Salesforce core platform.

Salesforce Confirms Expanded Investigation

In its latest advisory, Salesforce stated that the unusual activity affecting Gainsight applications may have enabled unauthorized access to certain customers' Salesforce data through the app-to-Salesforce connection. As part of its precautionary measures, Salesforce revoked all active access and refresh OAuth tokens associated with Gainsight-published applications and removed the apps from its AppExchange. While initial communication referenced only three affected customers, Salesforce confirmed on November 21 that the list has expanded, and all newly identified impacted customers have been notified directly. Salesforce emphasized that a broader investigation is underway and continues to provide updates on its official Help portal. [caption id="attachment_107067" align="aligncenter" width="895"] Source: Salesforce[/caption]

Gainsight Products and Connectors Temporarily Impacted

According to Gainsight’s latest communication, several of its products, including Gainsight CS, Community (CC), Northpass (CE), Skilljar (SJ), and Staircase (ST), have been affected by Salesforce’s precautionary disconnection. Although the products remain operational, they are currently unable to read or write data to Salesforce. In addition, several third-party connectors integrated with Gainsight, such as Gong.io, Zendesk, and HubSpot, have been temporarily disabled by their respective vendors out of an abundance of caution. Gainsight urged customers to rotate their S3 keys if they have not done so since November 20, 2025, as part of the secure log retrieval process.

No Indication of Salesforce Platform Vulnerability

Salesforce reiterated that there is no evidence suggesting the issue originated from a flaw within the Salesforce platform itself. Instead, the activity appears tied to the external OAuth-based connection between Gainsight applications and Salesforce environments. Crucially, Salesforce confirmed that while the OAuth tokens have been revoked, historical audit trails and logs remain intact, enabling full customer-led investigation efforts. The company also strongly encouraged customers to conduct thorough log reviews using Setup Audit Trail, Event Monitoring logs, and API activity records. Salesforce referenced the Salesforce Log Analysis Guide to support customers in assessing potential compromise indicators.

Indicators of Compromise Published

As part of its transparency efforts, Salesforce shared a list of Indicators of Compromise (IOCs) associated with the threat activity. These include several user agents—such as python-requests/2.32.3 and Salesforce-Multi-Org-Fetcher/1.0—and dozens of IP addresses linked to suspicious access attempts. Gainsight echoed Salesforce’s recommendations and is conducting its own forensic review with support from independent investigators. Both organizations confirmed that the Salesforce Gainsight security incident remains under active investigation. Gainsight has published a detailed timeline and continues to coordinate with Salesforce to determine the full impact. Customers seeking assistance have been directed to Salesforce Help and Gainsight Support for further updates.

The City of Middletown has released a new update as part of its ongoing cybersecurity restoration following the significant City of Middletown cyberattack that disrupted multiple municipal services earlier this year. The latest announcement, dated November 20, 2025, provides details on the resumption of utility billing, the status of delinquent accounts, and broader system recovery efforts. As part of the continuing cybersecurity restoration process, Middletown officials confirmed that utility billing will restart in December. Because billing systems were offline for several months, the first bills will be based on estimated usage from the same period last year, plus an additional 25% to account for service charges accrued during the outage. Flat-fee services, including refuse, stormwater, and toter charges—will also be back-billed in full and are expected to return to standard billing cycles in January 2026. While the city aims to restore traditional meter readings, officials noted that a firm timeline is not yet available. Until systems are fully repaired, estimated billing will continue into early 2026. Once meter readings resume, actual usage during the outage will be calculated and spread across six billing cycles to minimize financial burden on residents.

Delinquent Accounts and Service Continuity

During the City of Middletown cyberattack, the city temporarily paused all utility shutoffs, including for accounts already delinquent before the incident. Shutoffs will now resume only for those pre-existing delinquent accounts. Residents with outstanding balances will receive individual notices outlining payment options and steps to prevent service interruption. For support or questions, residents may contact the Utility Billing Office at (513) 425-7870.

City of Middletown Cyberattack: Ongoing System Recovery 

In an earlier update on October 27, 2025, Middletown reported steady progress in restoring core systems. Phone lines, Wi-Fi, and city email accounts are now fully operational, allowing staff to return to regular communication channels with residents. However, certain departments continue to rely on temporary backup processes while the broader network rebuild continues. The cyber event occurred in mid-August, prompting officials to immediately shut down affected systems and bring in third-party cybersecurity specialists to assist with secure restoration and forensic investigation.

Current Department-Level Impact

• Utility Billing: Still unable to generate new bills until system restoration is complete.
• Payments: Residents may continue paying previously issued bills via InvoiceCloud or at the City Building.
• Court Records: In-person court record searches remain available.
• Police Fingerprint Checks: Not currently available; residents may obtain checks from county, state, or federal agencies.

Data Impact and Ongoing Forensics

The city’s investigation into the cyber event continues with support from external cybersecurity experts. It remains unclear whether any resident data was affected. Officials emphasized that determining what information may have been accessed, and who may be impacted, is a complex, ongoing process. Should the investigation confirm exposure of personal information, the city will notify and assist affected individuals. Middletown also confirmed that it is coordinating with federal, state, and local law enforcement agencies throughout the investigation. At this time, there is no evidence that compromised data has been used for fraudulent activity or identity theft.

The U.S. Justice Department has announced the sentencing of Samourai Wallet’s two co-founders for their role in knowingly transmitting more than $237 million in criminal proceeds through the cryptocurrency-mixing platform Authorities say the platform’s design enabled users to mask the origin of funds tied to drug trafficking, darknet marketplaces, cyber intrusions, fraud schemes, sanctioned jurisdictions, murder-for-hire operations, and child exploitation sites. Nicolas Roos, Attorney for the United States acting under 28 U.S.C. § 515, said the outcomes “send a clear message that laundering known criminal proceeds—regardless of whether the funds are in fiat or cryptocurrency—will face serious consequences.”

Five- and Four-Year Prison Terms

U.S. District Judge Denise L. Cote sentenced CEO Keonne Rodriguez to five years in prison on August 6, 2025, and CTO William Lonergan Hill to four years on November 19, 2025. Both were convicted of participating in a conspiracy to operate an unlicensed money-transmitting business that knowingly processed criminal proceeds. In addition to prison time, each will serve three years of supervised release and pay a $250,000 fine. They have jointly forfeited more than $6.3 million, representing the fees Samourai earned through the illicit transactions.

How Samourai Wallet Enabled Large-Scale Laundering

According to court documents, Rodriguez and Hill began building Samourai Wallet in 2015 with features designed to hide transaction origins. Two core services—Whirlpool and Ricochet—played a central role:

• Whirlpool mixed Bitcoin among batches of users, obscuring transaction histories and preventing investigators and exchanges from tracing the original source.
• Ricochet added intentional “hops” between sending and receiving addresses, complicating blockchain analysis and further distancing funds from their origins.

Between Ricochet’s launch in 2017 and Whirlpool’s expansion in 2019, more than 80,000 Bitcoin—valued at over $2 billion at the time—moved through Samourai’s infrastructure. Prosecutors emphasized that the volume of transactions showed how deeply the platform was embedded in criminal financial flows.

Promotion to Criminal Users

Evidence presented in court showed that both co-founders actively encouraged use of Samourai Wallet on darknet forums, encrypted channels, and social media. Hill allegedly promoted Whirlpool on Dread, a marketplace forum, positioning it as a superior method to “clean dirty BTC.” Rodriguez, in a separate 2020 exchange, urged hackers involved in a major social media breach to route their stolen funds through Samourai. In private WhatsApp messages, Rodriguez reportedly described mixing as “money laundering for bitcoin.” Samourai’s own internal marketing material classified its target users as “Dark/Grey Market participants.”

Global Investigation and International Support

The investigation involved multiple international partners, including Europol, the Portuguese Judicial Police, and the Department of Justice’s Office of International Affairs. Hill was arrested in Portugal and extradited in July 2024. Rodriguez was taken into custody in the United States. The FBI, IRS-Criminal Investigation, and several European agencies contributed to evidence collection, digital forensics, and cross-border coordination

Threat Actor Dark Storm has emerged as one of the most active pro-Russian hacktivist groups this year, escalating disruptive cyberattacks against several government agencies across Europe and Russia.   Known primarily for aggressive Distributed Denial-of-Service (DDoS) operations, the group is widening its targets, deepening alliances, and promoting DDoS-as-a-Service offerings to other threat actors across the underground ecosystem. 

Who Is Dark Storm? A Pro-Russian Collective Expanding Its Reach 

The threat actor Dark Storm, also known as Dark Storm Team, TeamDarkStorm, and MRHELL112, has built a reputation for hitting critical infrastructure, particularly airports and transportation networks. While DDoS has remained its signature method, the group has recently broadened its campaigns to include political, opportunistic, and retaliatory attacks.  Dark Storm is part of the pro-Russian alliance Matryoshka 424, connecting it to other hacktivist clusters that coordinate messaging, tools, and attack timing.   The group’s alignment with wider pro-Russian cyber movements has amplified its operational impact, especially during geopolitical flashpoints. 

Growing Web of Alliances Boosts Their Disruptive Capabilities 

The threat actor’s tactic frequently overlaps with those of linked groups such as OverFlame, Server Killers, Z-Pentest, and Team BD Cyber Ninja, all of which share DDoS infrastructure and ideological motivations. 

• OverFlame focuses on attacks connected to Ukraine and its allies. 

• Server Killers routinely targets entities perceived as opposing Russian interests. 

• Z-Pentest, a newer group, has been seen exploiting unauthorized access to ICS panels and performing website defacements. 

These joined alliances provide Dark Storm with broader botnet access, shared reconnaissance intelligence, and a coordinated amplification strategy, leading to larger and more sustained disruptions. 

How Dark Storm Executes Its Attacks

1. Exploiting Public-Facing Applications

Dark Storm’s operations often begin with exploiting weaknesses in internet-facing applications, including misconfigured servers, outdated services, and vulnerable web components. By leveraging Initial Access techniques such as exploiting public-facing apps (T1190), the group aims to identify high-value entry points.  This includes: 

• Web servers and cloud-hosted applications 

• Administrative interfaces 

• Exposed databases or misconfigured network devices 

The group has also been observed gathering victim identity information (T1589) and host configuration data (T1592) through reconnaissance activities, using scanning and metadata harvesting to tailor their next move. 2. Coordinated DDoS and Endpoint Denial-of-Service Attacks The core of Dark Storm’s activity lies in complicated Network Denial-of-Service (T1498) and Endpoint Denial-of-Service (T1499) campaigns.  These attacks typically rely on: 

• Voluminous traffic generation using botnets 

• IP spoofing to hide origin 

• Reflective amplification techniques 

• Multi-layer targeting of network and application endpoints 

By vast bandwidth, saturating hosting infrastructure, or crashing service layers, Dark Storm aims to cause maximum disruption with minimal operational cost. 3. Escalating Focus on Government Agencies While past activity was largely centered on transportation and logistics, the recent surge of attacks against government agencies in Europe and Russia marks a notable escalation. The group appears to be leveraging political tension, upcoming elections, and diplomatic shifts to justify their campaigns.  These government-focused attacks include: 

• Flooding official portals 

• Disrupting public-facing service websites 

• Interrupting online citizen services 

• Targeting digital communication channels 

Although largely disruptive rather than destructive, these incidents highlight the fragility of national digital services under sustained political hacktivism. 

How Organizations Can Defend Against Dark Storm’s Tactics 

The tactics used by Threat Actor Dark Storm, particularly large-scale DDoS attacks and exploitation of exposed applications, stress on the importance of continuous threat visibility. Organizations dependent on online services remains especially vulnerable during periods of geopolitical tension or heightened hacktivist activity.  Solutions like Cyble’s Cyber Threat Intelligence Platform provide early detection of adversary behavior, monitoring of emerging campaigns, and insights into developing threats that groups like Dark Storm rely on.  With holistic visibility, automation, and advanced analytics, security teams can prioritize high-risk exposures, detect reconnaissance activity sooner, and prepare defenses before attacks escalate. 

Stay ahead of threat actor groups like Dark Storm. 

Explore deeper threat insights with Cyble’s Cyber Threat Intelligence Platform- Get Your FREE Demo Now 

As Black Friday sale scams continue to rise, shoppers across Europe and the US are being urged to stay vigilant this festive season. With promotions kicking off earlier than ever, some starting as early as October 30 in Romania, cybercriminals have had an extended window to target bargain hunters, exploiting their search for deals with fraudulent schemes. Black Friday 2025, this year, scammers have been impersonating top brands such as Amazon, MediaMarkt, TEMU, IKEA, Kaufland, Grohe, Oral-B, Binance, Louis Vuitton, Jack Daniel’s, Reese’s, and United Healthcare. Among them, Amazon remains the most frequently abused brand, appearing in phishing messages, fake coupon offers, and mobile scams promising massive discounts.

Amid these ongoing threats, many shoppers are also expressing frustration with deceptive pricing tactics seen during the Black Friday period. One Reddit user described the experience as increasingly misleading:

“I'm officially over the Black Friday hype. It used to feel like a sale, now it feels like a prank.

I was tracking a coffee machine at $129. When the ‘Black Friday early deal’ showed up, it became ‘$159 now $139 LIMITED TIME.’ I saw $129 two weeks ago. The kids’ tablet went from $79 to $89 with a Holiday Deal tag — paying extra for a yellow label.

I've been doing Black Friday hunting for 10+ years and it's only gotten worse. Fake doorbusters, fake urgency, fake ‘original’ prices. Feels like they're A/B testing how cooked our brains are as long as the button screams ‘53% OFF.’

Now I only buy when needed and let a Chrome extension track my Amazon orders. It clawed back $72 last month from so-called ‘preview pricing’ after prices dropped again.”

This sentiment reflects a growing concern: while scam campaigns imitate trusted brands, the pressure-driven marketing tactics surrounding Black Friday can also make consumers more vulnerable to fraud.

Moreover, a recent campaign even spoofed United Healthcare, offering a fake “Black Friday Smile Upgrade” with Oral-B dental kits, aiming to collect sensitive personal data. According to data from the City of London Police, shoppers lost around £11.8 million to online shopping fraud during last year’s festive season, from 1 November 2024 to 31 January 2025. Fraudsters often pressure victims with claims that deals are limited or products are scarce, forcing hurried decisions that can result in stolen funds or sensitive information.

A Month-Long Shopping Season Means More Risk

With strong discounts across electronics, toys, apparel, and home goods, consumers are drawn to higher-ticket items. This year, electronics saw discounts up to 30.1%, toys 28%, apparel 23.2%, and furniture 19%, while televisions, appliances, and sporting goods hit record lows in price, prompting significant e-commerce growth. Adobe reported that for every 1% decrease in price, demand increased by 1.029% compared to the previous year, driving an additional $2.25 billion in online spending, a part of the overall $241.4 billion spent online. The combination of high consumer demand and deep discounts makes the Black Friday shopping period especially attractive to cybercriminals, as the increased volume of online transactions offers more opportunities for scams.

How to Protect Yourself from Black Friday Sale Scams

Ahead of Black Friday on November 28, shoppers are being encouraged to follow advice from the Stop! Think Fraud campaign, run by the Home Office and the National Cyber Security Centre (NCSC). Key precautions include:

• Check the shop is legitimate: Always verify reviews on trusted websites before making a purchase.
• Secure your accounts: Enable two-step verification (2SV) for important accounts to add an extra layer of security.
• Pay securely: Use credit cards or verified payment services like PayPal, Apple Pay, or Google Pay. Avoid storing card details on websites and never pay by direct bank transfer.
• Beware of delivery scams: Avoid clicking links in unexpected messages or calls and confirm any delivery claims with the organization directly.

Individuals are also urged to report suspicious emails, texts, or fake websites to the NCSC, which collaborates with partners to investigate and remove malicious content. For businesses and security-conscious shoppers, leveraging tools like Cyble’s Cyber Threat Intelligence Platform can help monitor brand impersonation, detect scams, and protect sensitive data in real-time during Black Friday sale scams. With the rise of cyber threats during high-demand shopping periods, proactive intelligence is key to staying safe. Stay alert this Black Friday, your bargains are only valuable if your personal data stays safe. Learn more about how Cyble can protect you and your business here.

The ARC Data Sale to U.S. government agencies has come under intense scrutiny following reports of warrantless access to Americans’ travel records. After growing pressure from lawmakers, the Airlines Reporting Corporation (ARC), a data broker collectively owned by major U.S. airlines, has announced it will shut down its Travel Intelligence Program (TIP), a system that allowed federal agencies to search through hundreds of millions of passenger travel records without judicial oversight.

Lawmakers Question ARC Data Sale and Warrantless Access

Concerns over the ARC Data Sale intensified this week after a bipartisan group of lawmakers sent letters to nine airline CEOs urging them to stop the practice immediately. The letter cited reports that government agencies, including the Department of Homeland Security (DHS), the Internal Revenue Service (IRS), the Securities and Exchange Commission (SEC), and the FBI had been accessing ARC’s travel database without obtaining warrants or court orders. According to the lawmakers, ARC sold access to a system containing approximately 722 million ticket transactions covering 39 months of past and future travel data. This includes bookings made through more than 10,000 U.S.-based travel agencies, popular online travel portals like Expedia, Kayak, and Priceline, and even credit-card reward program bookings. Travel details in this database include a passenger’s name, itinerary, flight numbers, fare details, ticket numbers, and sometimes credit card digits used during the purchase. Documents released through public records requests show that the FBI received travel records from ARC based solely on written requests, bypassing the need for subpoenas. DHS described the database as “an unparalleled intelligence resource.”

IRS Admits Policy Violations in Handling Travel Data

A central point of concern is the revelation that the IRS accessed ARC’s travel database without conducting a legal review or completing a required Privacy Impact Assessment. Under the E-Government Act of 2002, federal agencies must complete such assessments before procuring systems that collect personal data. In a disclosure to Senator Ron Wyden, the IRS admitted it had purchased ARC’s airline data without meeting these requirements. The agency only completed the privacy assessment after receiving an oversight inquiry in 2025. It also confirmed that it had not initially reviewed whether accessing the travel data constituted a search that required a warrant, despite previous commitments to do so after a 2021 investigation into cell-phone location data purchases.

Prospective Surveillance Raises New Privacy Concerns

Beyond historical travel data, lawmakers highlighted that ARC’s tools enabled what they termed “prospective surveillance.” Through automated, recurring searches, government agencies could receive alerts the moment a ticket matching specific criteria was booked. This type of forward-looking monitoring typically requires a higher legal threshold and is allowed only in limited circumstances authorized by Congress. Lawmakers argued that buying such capabilities from a data broker like ARC allowed agencies to circumvent the Fourth Amendment, undermining Americans’ constitutional protection against unreasonable searches. Because ARC only captures bookings made through travel agencies, individuals booking directly with airlines do not have their travel data in the system, effectively creating inconsistent privacy protections based solely on how a ticket is purchased.

ARC Confirms End of Travel Intelligence Program

In a letter sent on Tuesday, ARC CEO Lauri Reishus informed lawmakers that the company would end the Travel Intelligence Program in the coming weeks. The decision follows public and political pressure since September, when media reports first revealed the extent of ARC’s data-sharing arrangements with government agencies. Lawmakers noted that airlines benefit financially when passengers book tickets directly, raising concerns that the surveillance program not only threatened privacy rights but also created potential antitrust implications. As lawmakers push for stronger privacy protections and clearer limits on government surveillance, the ARC data sale case has become a high-profile example of how easily personal travel data can be accessed and shared without passengers’ knowledge.

American Food delivery platform DoorDash has disclosed a DoorDash cybersecurity incident after an unauthorized third party accessed certain user information through a targeted social engineering attack. The company confirmed that the DoorDash data breach affected an unspecified number of users but clarified that no sensitive or financial information was accessed. According to DoorDash’s public statement, the incident began when a company employee was manipulated into granting access through a social engineering scam. This reflects a rising trend where attackers exploit human behavior rather than system weaknesses, posing significant risks even to companies with mature cybersecurity programs.

DoorDash Cybersecurity Incident: Social Engineering Identified as the Root Cause

The company revealed that threat actors did not rely on malware or exploit software vulnerabilities. Instead, they used deceptive tactics to influence an employee and gain initial access. This form of attack continues to challenge organizations, as technical security controls often cannot prevent human error. DoorDash stated that its response team quickly identified the data breach, shut down unauthorized access, and initiated an internal investigation. The company has also referred the matter to law enforcement.

What Information Was Accessed in DoorDash Data Breach

DoorDash confirmed that some users, spanning consumers, Dashers, and merchants, were impacted. The type of user information accessed varied and may have included:

• First and last name
• Phone number
• Email address
• Physical address

The company emphasized that no sensitive information such as Social Security numbers, government-issued IDs, driver’s license details, bank information, or payment card data was compromised in DoorDash cybersecurity incident. DoorDash added that it has no evidence of fraud, identity theft, or misuse of the accessed information.

DoorDash Response and Security Enhancements

Following the DoorDash cybersecurity incident, the company implemented several measures to strengthen its cybersecurity posture. These steps include:

• Deploying new security system enhancements to detect and block similar malicious activities
• Increasing employee security awareness training focused on social engineering threats
• Engaging an external cybersecurity firm to assist in the investigation and provide expert guidance
• Coordinating with law enforcement for ongoing inquiry

DoorDash reiterated its commitment to improving user security, stating that it strives to “get 1% better every day” and protect user privacy through continuous improvements.

User Notifications and Support

The company noted that affected users have been notified where required under applicable laws. To address concerns and questions, DoorDash has set up a dedicated call center available in English and French for users in the U.S., Canada, and international regions. Users seeking more information can contact the hotline using reference code B155060. DoorDash also clarified that customers of Wolt or Deliveroo were not impacted by this incident, as the breach was limited exclusively to DoorDash systems and data. Guidance for Users While no sensitive data was compromised, DoorDash advised users to remain cautious of unsolicited communications requesting personal information. The company warned users to avoid clicking suspicious links or downloading unexpected attachments, as such tactics are commonly used in social engineering attacks. DoorDash stated that users do not need to take any immediate action to protect their accounts, as the compromised information was limited to basic contact details and there is no evidence of misuse.

The revelation that a Chinese state-sponsored group (GTG-1002) used Claude Code to execute a large-scale autonomous AI cyberattack marks a turning point for every leadership role tied to security, technology, or business risk. This was not an AI-assisted intrusion; it was a fully operational AI-powered cyber threat where the model carried out reconnaissance, exploitation, credential harvesting, and data exfiltration with minimal human involvement. Anthropic confirmed that attackers launched thousands of requests per second, targeting 30 global organizations at a speed no human operator could match. With humans directing just 10–20% of the campaign, this autonomous AI cyberattack is the strongest evidence yet that the threat landscape has shifted from human-paced attacks to machine-paced operations. For CISOs, CTOs, and even CFOs, this is not just a technical incident — it’s a strategic leadership warning.

1. Machine-Speed Attacks Redefine Detection Expectations

The GTG-1002 actors didn’t use AI as a side tool — they let it run the operation end-to-end. The autonomous AI cyberattack mapped internal services, analyzed authentication paths, tailored exploitation payloads, escalated privileges, and extracted intelligence without stopping to “wait” for a human.

• CISO takeaway: Detection windows must shrink from hours to minutes.
• CTO takeaway: Environments must be designed to withstand parallelized, machine-speed probing.
• CFO takeaway: Investments in real-time detection are no longer “nice to have,” but essential risk mitigation.

Example: Claude autonomously mapped hundreds of internal services across multiple IP ranges and identified high-value databases — work that would take humans days, executed in minutes.

2. Social Engineering Now Targets AI — Not the User

One of the most important elements of this autonomous AI cyberattack is that attackers didn’t technically “hack” Claude. They manipulated it. GTG-1002 socially engineered the model by posing as a cybersecurity firm performing legitimate penetration tests. By breaking tasks into isolated, harmless-looking requests, they bypassed safety guardrails without triggering suspicion.

• CISO takeaway: AI governance and model-behavior monitoring must become core security functions.
• CTO takeaway: Treat enterprise AI systems as employees vulnerable to manipulation.
• CFO takeaway: AI misuse prevention deserves dedicated budget.

Example: Each isolated task Claude executed seemed benign — but together, they formed a full exploitation chain.

3. AI Can Now Run a Multi-Stage Intrusion With Minimal Human Input

This wasn’t a proof-of-concept; it produced real compromises. The GTG-1002 cyberattack involved:

• autonomous reconnaissance
• autonomous exploitation
• autonomous privilege escalation
• autonomous lateral movement
• autonomous intelligence extraction
• autonomous backdoor creation

The entire intrusion lifecycle was carried out by an autonomous threat actor, with humans stepping in only for strategy approvals.

• CISO takeaway: Assume attackers can automate everything.
• CTO takeaway: Zero trust and continuous authentication must be strengthened.
• CFO takeaway: Business continuity plans must consider rapid compromise — not week-long dwell times.

Example: In one case, Claude spent 2–6 hours mapping a database environment, extracting sensitive data, and summarizing findings for human approval — all without manual analysis.

4. AI Hallucinations Are a Defensive Advantage

Anthropic’s investigation uncovered a critical flaw: Claude frequently hallucinated during the autonomous AI cyberattack, misidentifying credentials, fabricating discoveries, or mistaking public information for sensitive intelligence. For attackers, this is a reliability gap. For defenders, it’s an opportunity.

• CISO takeaway: Honeytokens, fake credentials, and decoy environments can confuse AI-driven intrusions.
• CTO takeaway: Build detection rules for high-speed but inconsistent behavior — a hallmark of hallucinating AI.
• CFO takeaway: Deception tech becomes a high-ROI strategy in an AI-augmented threat landscape.

Example: Some of Claude’s “critical intelligence findings” were completely fabricated — decoys could amplify this confusion.

5. AI for Defense Is Now a Necessity, Not a Strategy Discussion

Anthropic’s response made something very clear: defenders must adopt AI at the same speed attackers are. During the Anthropic AI investigation, their threat intelligence team deployed Claude to analyze large volumes of telemetry, correlate distributed attack patterns, and validate activity. This marks the era where defensive AI systems become operational requirements.

• CISO takeaway: Begin integrating AI into SOC workflows now.
• CTO takeaway: Implement AI-driven alert correlation and proactive threat detection.
• CFO takeaway: AI reduces operational load while expanding detection scope, a strategic investment.

Leadership Must Evolve Before the Next Wave Arrives

This incident represents the beginning of AI-powered cyber threats, not the peak. Executives must collaborate to:

• adopt AI for defense
• redesign detection for machine-speed adversaries
• secure internal AI platforms
• prepare for attacks requiring almost no human attacker involvement

As attackers automate reconnaissance, exploitation, lateral movement, and exfiltration, defenders must automate detection, response, and containment. The autonomous AI cyberattack era has begun. Leaders who adapt now will weather the next wave, leaders who don’t will be overwhelmed by it.

The Government of Kenya cyberattack on Monday morning left several ministry websites defaced with racist and white supremacist messages, disrupting access for hours and prompting an urgent response from national cybersecurity teams. The cyberattack on Government of Kenya targeted multiple high-profile platforms, raising new concerns about the security of public-sector digital infrastructure. According to officials, the Government of Kenya cyberattack affected websites belonging to the ministries of Interior, Health, Education, Energy, Labour, and Water. Users attempting to access the pages were met with extremist messages including “We will rise again,” “White power worldwide,” and “14:88 Heil Hitler.”

Government of Kenya Cyberattack Under Investigation

The Interior Ministry confirmed the Government of Kenya cyberattack, stating that a group identifying itself as “PCP@Kenya” is suspected to be behind the intrusion. Several government websites were rendered temporarily inaccessible while national teams worked to secure affected systems. “Preliminary investigations indicate that the attack is suspected to have been carried out by a group identifying itself as 'PCP@Kenya',” the ministry said. “Following the incident, we immediately activated our incident response and recovery procedures, working closely with relevant stakeholders to mitigate the impact and restore access to the affected platforms.” [caption id="attachment_106846" align="aligncenter" width="533"] Source: X[/caption] Officials confirmed that the situation has since been contained, with systems placed under continuous monitoring to prevent further disruption. Citizens have been encouraged to reach out to the National KE-CIRT if they have information relevant to the breach.

Regional Cyber Issues Reported Within 24 Hours

The Kenyan incident took place just a day after Somalia reported a cyberattack on its Immigration and Citizenship Agency. Somali officials said they detected a breach involving data from individuals who had entered the country using its e-Visa system. Early findings suggest that leaked data may include names, dates of birth, photos, marital status, email addresses, and home addresses. Authorities are now assessing how many people were affected and how attackers gained access to the system. The U.S. Embassy in Somalia referenced claims from November 11, when hackers alleged they had infiltrated the e-visa system and accessed information belonging to at least 35,000 applicants — potentially including U.S. citizens. “While Embassy Mogadishu is unable to confirm whether an individual’s data is part of the breach, individuals who have applied for a Somali e-visa may be affected,” the embassy said. [caption id="attachment_106848" align="aligncenter" width="377"] Source: X[/caption]

No Claim of Responsibility So Far

As of Monday afternoon, no threat group has formally claimed responsibility for either the Kenya or Somalia cyber incidents. Investigators are assessing whether the timing suggests any form of coordination or shared exploitation methods. For now, authorities emphasize that sensitive financial information, core government systems, and essential services in Kenya were not impacted. The cyberattack on Government of Kenya appears to have been limited to public-facing platforms.

A cybersecurity incident at Eurofiber France was officially confirmed after the company identified unauthorized activity on November 13, 2025. The incident involved a software vulnerability that allowed a malicious actor to access data from Eurofiber France’s ticket management platform and the ATE customer portal. According to the company, the situation is now under control, with systems secured and additional protective measures implemented.

Cybersecurity Incident Impacted Ticketing Platform and ATE Portal

Eurofiber France stated that the cybersecurity incident affected its central ticket management platform used by regional brands Eurafibre, FullSave, Netiwan, and Avelia. It also impacted the ATE portal, part of Eurofiber France’s cloud services operating under the Eurofiber Cloud Infra France brand. The company confirmed that the attacker exploited a software vulnerability in this shared environment, leading to the exfiltration of customer-related data. The company emphasized that the incident is limited to customers in France using the affected platforms. Customers using Eurofiber services in Belgium, Germany, or the Netherlands, including Eurofiber Cloud Infra in the Netherlands, were not impacted. Eurofiber also noted that the effect on indirect sales and wholesale partners within France remains minimal, as most partners operate on separate systems.

Immediate Response and Containment Measures

Within hours of detecting the breach, Eurofiber France placed both the ticketing platform and the ATE portal under reinforced security. The vulnerability was patched, and additional layers of protection were deployed. The company said its internal teams, working alongside external cybersecurity experts, are now focused on assisting customers in assessing and managing the impact. Eurofiber clarified that no sensitive financial information, such as bank details or regulated critical data stored in other systems, was compromised. All services remained fully operational during the attack, and there was no disruption to customer connectivity or service availability. Customers were notified immediately after the breach was detected. Eurofiber stated it would continue to update affected organizations transparently as the investigation progresses.

Regulatory Notifications and Ongoing Investigation

In line with European regulatory requirements, Eurofiber France has notified the CNIL (France’s Data Protection Authority under GDPR) and reported the incident to ANSSI (the French National Cybersecurity Agency). A police complaint has also been filed in connection with an extortion attempt linked to the attack. The company reaffirmed its commitment to transparency, data protection, and cybersecurity throughout the remediation process.

External Research Points to Larger Data Exposure

International Cyber Digest, a third-party cybersecurity research group, reported that the breach may have exposed information belonging to approximately 3,600 customers. According to their analysis, the threat actor — who identifies as “ByteToBreach” — gained full access to Eurofiber’s GLPI database, including client data, support tickets, internal messages, passwords, and API keys. Researchers noted that Eurofiber’s GLPI installation may have been operating on versions 10.0.7–10.0.14, potentially outdated and vulnerable. The attacker, in comments shared with the researchers, claimed to have executed a slow, time-based SQL injection attack and extracted nearly 10,000 password hashes over a period of 10 days. They reportedly used administrator-level API keys to download internal documents and customer PII. ByteToBreach also claimed to have contacted both GLPI’s developer, Teclib, and Eurofiber to negotiate ransom demands. According to the research group, those attempts received no response. Eurofiber France operates over 76,000 kilometers of fiber network and 11 data centers, serving between 9,000 and 12,000 business and government customers. The company’s French clientele includes several major public institutions and private-sector organizations. Eurofiber France reiterated that all systems have now been secured and that enhanced monitoring and preventive measures are in place. The company said its teams remain fully mobilized until the cybersecurity incident is completely resolved.

The Justice Department has announced major developments in its ongoing efforts to disrupt illicit financing operations linked to North Korea. Five defendants have pleaded guilty in a wide-ranging scheme involving identity fraud, remote IT employment, and large-scale virtual currency theft. The department has also initiated civil forfeiture actions totaling more than $15 million. These actions target financial networks supporting the DPRK government’s weapons program. The case highlights growing concerns surrounding virtual currency heists, identity theft, and the exploitation of U.S. companies through fraudulent remote employment schemes.

North Korean IT Employment Schemes Exposed

According to court documents, U.S. and Ukrainian facilitators helped North Korean IT workers obtain remote jobs with American companies. By providing stolen or falsified identities, hosting employer-issued laptops in the United States, and installing remote-access tools, the defendants created the false impression that the workers were operating domestically. Investigators say the scheme affected more than 136 U.S. companies, generated over $2.2 million in revenue for the DPRK regime, and compromised the identities of at least 18 American citizens. These tactics align with methods highlighted in federal advisories regarding identity misuse, proxy networks, and false documentation used by foreign threat actors—including those involved in virtual currency theft and broader revenue-generation operations.

$15 Million in Virtual Currency Seized

In a parallel action, two civil forfeiture complaints detail how the North Korean hacking group APT38 targeted four overseas virtual currency platforms in 2023. These virtual currency heists resulted in hundreds of millions of dollars being stolen from payment processors and exchanges in Estonia, Panama, and Seychelles. While DPRK-linked actors attempted to launder the stolen funds through mixers, bridges, and over-the-counter traders, U.S. authorities successfully froze and seized more than $15 million worth of USDT stablecoins. Federal officials intend to forfeit the assets so they can eventually be returned to victims.

Virtual Currency Theft: Three Guilty Pleas in Georgia

In the Southern District of Georgia, U.S. nationals Audricus Phagnasay, Jason Salazar, and Alexander Paul Travis pleaded guilty to wire fraud conspiracy. From 2019 to 2022, the trio knowingly supplied their personal identities to overseas IT workers and assisted them in bypassing employer screening procedures. Travis, who served in the U.S. Army during the scheme, received over $51,000 for his involvement. Prosecutors emphasized that the fraudulent operation resulted in more than $1.28 million in salaries being paid out by victim companies, with most of the funds transferred to workers operating outside the United States.

Ukrainian Identity Broker Admits Role

On Nov. 10, Ukrainian national Oleksandr Didenko pleaded guilty in the District of Columbia to wire fraud conspiracy and aggravated identity theft. Didenko sold stolen identities to foreign IT workers— including those linked to North Korea—helping them secure jobs at more than 40 U.S. companies. He agreed to forfeit more than $1.4 million in fiat and digital currency.

Florida Defendant Pleads Guilty in Related Case

In the Southern District of Florida, U.S. citizen Erick Ntekereze Prince admitted to wire fraud conspiracy connected to fraudulent staffing operations. Prince supplied U.S. companies with remote IT workers who were, in fact, based overseas and using stolen identities. His participation earned him more than $89,000. Two co-defendants remain pending trial or extradition. Senior DOJ and FBI officials said the coordinated actions reflect a comprehensive federal strategy to counter North Korea’s illicit revenue-generation networks. They warned that DPRK-linked cyber operations—including identity fraud and virtual currency theft, remain a persistent threat to national and economic security. Authorities urged U.S. companies to strengthen vetting processes for remote workers and remain alert to identity anomalies, unauthorized access tools, and other indicators of foreign fraud.

To recognize the individuals driving the transformation of cybersecurity in the United States, The Cyber Express, in collaboration with Suraksha Catalyst, proudly presents the Top 100 Cybersecurity Leaders in the U.S. This initiative celebrates the visionaries and changemakers who are shaping a safer, more resilient digital future for the nation. Cybersecurity today stands as one of the most critical pillars of U.S. national security. With technology deeply embedded in every industry—from finance to healthcare and energy—the role of cybersecurity professionals has become vital in defending the systems that power modern life. These Top 100 cybersecurity leaders in the U.S. are not only tackling today’s threats but also anticipating the challenges of tomorrow.

U.S. Cybersecurity Leaders Driving Change

In recent years, the U.S. government has intensified its focus on cybersecurity, reflecting the growing scale of digital risks. The overall estimated cybersecurity spending at U.S. CFO Act Agencies for fiscal year 2025 is projected to exceed $13 billion, while non-CFO Act agencies are allocating around $674 million. Among federal departments, the Department of Homeland Security (DHS) leads with $3.2 billion in cybersecurity spending, followed by the Department of the Treasury with $1.2 billion. These investments are driven by lessons learned from high-impact incidents such as the Colonial Pipeline attack in 2021 and other major supply chain breaches that exposed vulnerabilities in critical infrastructure. Such events have emphasized the importance of continuous vigilance, rapid response, and cross-sector collaboration. Through this top 100 cybersecurity leaders in the U.S. list, The Cyber Express and Suraksha Catalyst aim to spotlight the individuals who are addressing cybersecurity challenges in the United States, head-on. These top 100 cybersecurity leaders in the U.S. represent government, private enterprises, academia, and research institutions. Each of them has made a unique contribution to building a secure digital ecosystem, whether through policy, innovation, defense strategy, or public awareness.

Top 100 Cybersecurity Leaders in the U.S.

The work of top 100 cybersecurity leaders in the U.S. reminds us that cybersecurity is not just about technology—it’s about people. The dedication, expertise, and leadership of top 100 cybersecurity leaders in the U.S. continue to inspire progress and safeguard the digital frontier of the United States. Here is the full list of Top 100 Cybersecurity Leaders in the U.S.:

Name	Designation	Company
Matthew Rosenquist	CISO and Cybersecurity Strategist	Mercury Risk and Compliance, Inc
Kris Virtue	VP Cybersecurity	Qualcomm
Joe Suareo, CISA	CISO, VP Information Security	Restaurant Brands International Inc. (RBI)
Seema Patel	CISO	Maricopa County
Monica Keeneth	CISO	Inovalon
Nick Lovrien, CPP	Chief Global Security officer-Vice President	Meta Platforms Inc (Facebook)
David Dunn	CISO	Kroll
Jamie Giroux	CISO	Platinum Equity
Matt Martin	CISO/ Director IT	Sidley Austin LLP
Stacey S. Smith	VP, CISO	Gainwell Technologies
Sai Iyer	CISO	Ziff Davis
Harsha Reddy	Head of information security	Veterinary Emergency Group LLC (VEG)
Preetham Nayak	CISO	OVT
Joshy Alappat	CISO	Oncouse Home Solutions
Prakash Kalaiah	Head of Security	Enphase Energy
Dave Martin	Chief Security Officer	ADP
Donna Hart	CISO	Ally Financial Inc
Chris Hastings	Information Security Leader	American Family Insurance
Paul Conlon	CISO, VP of IT infrastructure and Operations	Aptiv
Bashar Abouseido	SVP, CISO	Charles Schwab
Kurt John	CISO	Consolidated Edison Company
John Dickson	VP, CISO	Colonial Pipeline Company
Hilik Kotler	SVP, CISO and IT	Expedia
Niraj Patel	VP and CISO	Horizon Blue Cross Blue Shield of New Jersey
Steve Grossman	CISO	National Basketball Association (NBA)
Tod Mitchinson	VP, Chief Information Security Officer	New York Life Insurance Company
Alexandria S. (Alexandria San Miguel)	Head of information security	CHANEL
Daniel Nuñez	CISO	New York City Employees' Retirement System
David Spizzirro	CISO	InvestCloud, Inc
Nick Vigier	CISO	Oscar Health Insurance
George Stathakopoulos	VP of Corporate Information Security	Apple
Jerry Geisler	EVP & Global CISO	Walmart
Peter Rosario	CISO	USI Insurance Services
Liza (Mermegas) Russell	CISO, Consumer Banking & Payments	Barclays
Jeffrey Walker	CSO	International Flavors & Fragrances
Kylie Watson	CISO	Sumitomo Mitsui Banking Corporation.
Brian Wilkins	VP & CISO	TradeStation
Mahmood Khan	SVP & Global Chief Information Security Officer	CNA Insurance
Ken Athanasiou	VP, CISO	VF Corporation
Brad Jones	CISO	Snowflake
Amit Basu	VP, CIO & CISO	International Seaways, Inc.
Stephen Luterman	CTIO	ExodusPoint Capital Management, LP
Nick Sherwood	CISO	Moody's Corporation
Lauren Dana	VP, CISO	PSEG
Sohaib Syeed Ahmed	AVP	First National Financial
Thomas Mager	CISO	Springer Nature Group
Patricia "Patty" Voight	Executive Managing Director; CISO and Tech Risk Management	Webster Bank
Tammy Klotz	CISO	Trinseo
Donna Ross	CISO	Radian
Rob Suárez	VP.& CISO	CareFirst BlueCross BlueShield
Dr. Elizabeth Di Bene	CISO	Loudoun County Government
Vivek Kumar	Global CISO	Alter Domus
Andrew Cal	CISO	WestCap
Jay B. Mody	CISO & Head of IT Infrastructure	Chimera Investment Corporation
Phani Dasari	CISO	HGS - Hinduja Global Solutions
Abie George John	CISO	Halliburton
Parthasarathi Chakraborty	VP, Global Head of Security Engineering	Broadridge
Vivek S. Menon	CISO & Head of Data	Digital Turbine
Yogesh Badwe	Chief Security Officer	Druva
Sangram Dash	CISO and VP of IT	Sisense
Mahesh A.	CISO and Data Officer	Hidden Road
Rohan Singla	CISO	ChargePoint
Anurana Saluja	VP (CISO) - Global Head of Information Security, Privacy & Business Continuity	Sutherland
Chirag Shah	Global Information Security Officer & DPO	Model N
Navarasu Dhanasekar	CISO	Schneider Electric Digital Grid
Vasanth Madhure	CISO	Couchbase
Josh Stabiner	CISO	Vista Equity Partners
Chanda Dutta	Head of Information Security	William Blair
Brian Redler	SVP, CISO	Penguin Random House
James Anderson	CISO	Genworth Financial
Jim Desmond	SVP, Chief Security Officer	Asurion
Jerry Kowalski	CISO	Jefferies
Carl Scaffidi	Chief Information Security Officer - Senior Vice President	Vystar Credit Union
Jody Jenkins	VP & CISO	Catalent Pharma Solutions
Lilian Seidaros	CISO and Vice President, IT Infrastructure	360insights.com
Zeeshan Sheikh	SVP, Chief Information & Digital Officer	PSEG
Brian L.	Director, Amazon Security - Global, Media & Entertainment & Ads	Amazon Prime Video & Studios.
Martin Thibodeau	SVP &CIO	RONA
George Michalitsianos	VP & CISO	Ansell
Nalin Narayanam	Chief Information Officer and CISO	AdaptHealth
Manmohan Singh	Assistant Vice President - Information Security & Deputy CISO	UT Southwestern Medical Center
Milan Parikh	Global Head, Infrastructure, Security and Network	PTC Therapeutics
Nitin Raina	SVP, Chief Information Security Officer	Thoughtworks
Parthiv Shah	Chief Information Security Officer, SVP	Customer Bank
Mohana Balakrishnan	CISO & CTO	Schools Insurance Authority: SIA
Devon Bryan	Global Chief Security Officer	Booking Holdings Inc
Avi Ben-Menahem	CISO	NYDIG
Bala Rajagopalan	Managing Director, Global CISO	TradeWeb Markets
Jigar Shah	Chief Information Security Officer	Medusind
Gautam Nijhawan	Head of CyberSecurity	Eikon Therapeutics
Charan Singh	Chief Information Security Officer	Zelis
Upendra Mardikar	Chief Information Security Officer	TIAA
Raja Eswar	Chief Information Security Officer	State of California
Rohit Rajpara	CISO	Goldman Sachs Advisor Solutions
Chander M	CISO and CTO	Lazydays
Anupma Bhatia	Head of Information Security	TRANZACT
Vikas Mahajan	VP & CISO	American Red Cross
Stephen Harrison	SVP, CISO	MGM Resorts International
David Shaw	CISO	Transact Campus

 

Checkout.com data breach concerns have surfaced after the global payment processor confirmed it was recently targeted by the cybercrime group ShinyHunters. The company reported that attackers gained access to documents stored in an old third-party cloud environment, though its core payment processing systems and sensitive financial information remain unaffected. According to early findings, the Checkout.com data breach occurred when ShinyHunters accessed a legacy storage system last used in 2020. The environment contained internal operational files and merchant onboarding documents. Checkout.com confirmed that the system had not been properly decommissioned, enabling unauthorized access.

Legacy Cloud System at Center of Checkout.com Data Breach

The Checkout.com data breach affects an estimated 25% of the company’s current merchant base, although the compromised data does not include payment card numbers, merchant bank funds, or any information linked to real-time transaction processing. In its statement, Checkout.com emphasized that its live payment platform was completely isolated from the targeted system. As a result, no transactional services, payment flows, or merchant funds were put at risk. The Checkout.com data breach came to light when ShinyHunters contacted Checkout.com last week with an extortion demand. Instead of complying, the company publicly announced that it would not pay the ransom. Checkout.com stated that it will donate the equivalent amount requested by the criminals to two major institutions known for cybersecurity research: Carnegie Mellon University and the University of Oxford’s Cyber Security Center. The company said the decision aims to turn a criminal attack into an opportunity to strengthen the broader security community.

CTO Takes Responsibility and Calls for Transparency

Mariano Albera, Chief Technology Officer at Checkout.com, issued a detailed response acknowledging the company’s responsibility in failing to fully retire the outdated cloud storage system. He confirmed that the breach stemmed from a system “used in 2020 and prior years” and reiterated that no sensitive financial data was touched. Albera apologized for the concern caused to merchants and partners, stating:

• “This was our mistake, and we take full responsibility.”
• “We regret that this incident has caused worry for our partners and people.”
• “Security, transparency and trust are the foundation of our industry.”

Albera stressed that Checkout.com is committed to informing any potentially affected partners and is cooperating with law enforcement and relevant regulators as part of a broader investigation.

Company Strengthens Commitment to Merchant Protection

While the Checkout.com data breach involved non-critical information, the company acknowledged the importance of addressing lapses tied to legacy technology. It also promised full support to any merchant seeking clarification or assistance. Checkout.com noted that its support channels remain open and that account representatives are proactively reaching out to anyone whose data may have been stored in the legacy system. The organization said this incident will also influence future technology governance processes, particularly those tied to sunsetting outdated infrastructure and third-party storage environments. Checkout.com says its choice to donate the ransom amount is intended as a symbolic yet meaningful stance against cyber extortion. By funding academic cybersecurity research, the company aims to help strengthen defenses not just for itself but for the wider digital ecosystem. The company stated that it will continue prioritizing transparency, accountability, and stronger security investments to ensure such incidents do not recur.

Phishing attacks are becoming increasingly targeted as scammers refine their tactics to exploit social and economic issues. Instead of mass emailing identical messages, cybercriminals now create tailored campaigns that appear legitimate to specific audiences. The National Cyber Security Centre (NCSC) has warned that these phishing attacks are becoming more advanced, often imitating trusted institutions such as government agencies, banks, or health insurers. By leveraging familiar branding and credible topics like cryptocurrency or tax rule changes, scammers are deceiving individuals into sharing personal information.

Phishing Emails Impersonate Canton of Zurich

In one of the latest reported incidents, recipients received emails that appeared to originate from the Canton of Zurich, urging them to update information to comply with new cryptocurrency tax regulations. The email carried the official logo and layout, included a short compliance deadline, and threatened fines or legal action if ignored. [caption id="attachment_106720" align="aligncenter" width="1000"] Source: NCSC[/caption] Victims were directed to a fake website that closely mirrored the legitimate Canton of Zurich portal. After providing personal details such as their address, IBAN, date of birth, and telephone number, users were shown a confirmation page and then redirected to the real website — reinforcing the illusion of authenticity. [caption id="attachment_106721" align="aligncenter" width="1000"] Source: NCSC[/caption]   [caption id="attachment_106722" align="aligncenter" width="1000"] Source: NCSC[/caption]   Although the stolen data might not seem highly sensitive, authorities warn that it can be misused in follow-up scams. For instance, fraudsters may later call victims pretending to be bank representatives, using the collected personal details to sound credible and gain further access.

Emails Targeting Senior Citizens

A second phishing attack reported by the NCSC impersonated the Federal Tax Administration and focused on senior citizens. These emails referenced pension fund benefits, promising payouts and asking recipients to update their information. The messages used personalized greetings and professional formatting to build trust. While it is unclear if the emails were sent exclusively to older individuals, the targeted tone suggests an attempt to exploit a more vulnerable demographic. [caption id="attachment_106719" align="aligncenter" width="358"] Source: NCSC[/caption] Such campaigns highlight the shift from random spam emails to targeted phishing, where scammers invest more effort in psychological manipulation and social engineering.

Recommendations from the NCSC

Authorities are advising citizens to remain alert and follow these steps to reduce the risk of falling victim to phishing attacks:

• Be cautious of any email requesting personal or financial details.
• Never click on links or fill out forms from unsolicited messages.
• Verify the sender’s address and look for missing salutations or unofficial URLs.
• When uncertain, contact the official organization directly for clarification.
• Report suspicious links to antiphishing.ch.
• If financial information has been disclosed, contact your bank or card issuer immediately.
• In case of monetary loss, report the incident to the police via the Suisse ePolice platform.

Proactive Measures Against Phishing Attacks

The evolution of phishing attacks in Switzerland demonstrates how cybercriminals continuously adapt their methods to exploit trust and uncertainty. While public awareness campaigns remain vital, organizations must also invest in threat intelligence solutions that detect fraudulent domains, fake websites, and malicious email infrastructure before they reach potential victims. Platforms like Cyble provide proactive visibility into phishing campaigns and threat actor activity across the dark web and surface web, enabling businesses to take timely action and protect their customers and employees. Learn more about how intelligence-led defense can safeguard your organization from phishing and social engineering threats: Request a demo from Cyble

The US Treasury Sanctions Burma armed group and several related companies for their alleged involvement in cyber scam centers targeting American citizens. The Department of the Treasury’s Office of Foreign Assets Control (OFAC) announced the designations as part of a broader effort to combat organized crime, human trafficking, and cybercriminal activities operating out of Southeast Asia. According to the Treasury Department, OFAC has sanctioned the Democratic Karen Benevolent Army (DKBA), a Burmese armed group, and four of its senior leaders for supporting cyber scam centers in Burma. These operations reportedly defraud Americans through fraudulent investment schemes.

US Treasury Sanctions Burma: OFAC Targets Armed Group and Associated Firms

The agency also designated Trans Asia International Holding Group Thailand Company Limited, Troth Star Company Limited, and Thai national Chamu Sawang, citing links to Chinese organized crime networks. These entities were found to be working with the DKBA and other armed groups to establish and expand scam compounds in the region. Under Secretary of the Treasury for Terrorism and Financial Intelligence John K. Hurley stated, “criminal networks operating out of Burma are stealing billions of dollars from hardworking Americans through online scams.” He emphasized that such activities not only exploit victims financially but also contribute to Burma’s civil conflict by funding armed organizations.

Scam Center Strike Force Established

In coordination with agencies including the Federal Bureau of Investigation (FBI), U.S. Secret Service (USSS), and Department of Justice, a new Scam Center Strike Force has been launched to counter cyber scams originating from Burma, Cambodia, and Laos. This task force will focus on investigating and disrupting the most harmful Southeast Asian scam centers, while also supporting U.S. victims through education and restitution programs. The initiative aims to combine law enforcement, financial action, and diplomatic efforts to curb illicit online operations. [caption id="attachment_106706" align="aligncenter" width="432"] Source: Department of the Treasury’s Office of Foreign Assets Control (OFAC)[/caption]

An Ongoing Effort to Protect Victims

The US Treasury Sanctions Burma action builds on previous measures targeting illicit actors in the region. Earlier in 2025, the Karen National Army (KNA) and several related companies were sanctioned for their roles in human trafficking and cyber scam activities. Additional designations in Cambodia and Burma followed, targeting groups such as the Prince Group and Huione Group for operating scam compounds and laundering proceeds from virtual currency investment scams. According to government reports, Americans lost over $10 billion in 2024 to Southeast Asia-based cyber scam operations, marking a 66 percent increase from the previous year.

Cyber Scams and Human Trafficking Links

Investigations revealed that many individuals working in scam centers are victims of human trafficking, coerced into online fraud through threats and violence. Some compounds, including Tai Chang and KK Park in Burma’s Karen State, are known hubs for cyber scams. The DKBA reportedly provides protection for these compounds while also participating in violent acts against trafficked workers. These scam networks often use messaging apps and fake investment platforms to deceive Americans. Victims are manipulated into transferring funds to scam-controlled accounts under the guise of legitimate investments.

Sanctions and Legal Implications

Following today’s actions, all property and interests of the designated individuals and entities within the United States are now blocked. The sanctions prohibit any U.S. person from engaging in transactions involving these blocked parties. Violations of OFAC regulations could lead to civil or criminal penalties. The US Treasury Sanctions Burma initiative underscores the United States’ continued commitment to disrupting global cyber scam operations, holding organized crime networks accountable, and safeguarding victims of human trafficking and financial exploitation.

China has leveled a cyberattack accusation against the United States, claiming Washington orchestrated the 2020 hack of the LuBian mining pool and later seized 127,000 Bitcoin—worth about $13 billion—under the guise of law enforcement. The claim, made by China’s National Computer Virus Emergency Response Center (CVERC), adds a new layer to escalating cyber tensions between the two countries. The agency alleges that the U.S. Department of Justice (DOJ) used “state-level hacking tools” to steal and control the stolen cryptocurrency before officially announcing its seizure in 2025.

CVERC Claims State-Level Hacking

According to the CVERC report, the 2020 LuBian mining pool hack was not a typical criminal incident but a state-sponsored cyber operation. Attackers drained over 127,000 BTC from LuBian’s hot wallets in December 2020. The stolen funds stayed inactive for nearly four years before moving to new blockchain addresses in mid-2024. The U.S. DOJ later claimed the Bitcoin was linked to Chen Zhi, chairman of Cambodia’s Prince Group, who was charged with crypto-related fraud. However, Beijing argues the movement patterns of the coins and the delayed action suggest a coordinated government operation rather than criminal activity.

U.S. Denies the Cyberattack Accusation

The U.S. Department of Justice has denied any wrongdoing, describing the Bitcoin seizure as lawful asset forfeiture tied to ongoing anti-money laundering investigations. Officials maintain that all actions followed legal channels and were not connected to any cyberattack accusation. CVERC, however, disputes this version of events, calling the seizure a “double cross.” It claims the U.S. government used its law enforcement agencies as cover for a cyber operation. The report also highlights the unusual four-year dormancy of the stolen assets, which it says is inconsistent with typical hacker behavior.

Weak Wallets Led to the 2020 Breach

The report also pointed to major technical flaws in LuBian’s security setup. Instead of using a 256-bit random number generator, LuBian reportedly relied on a 32-bit pseudo-random algorithm, making its private keys easy to brute-force. This vulnerability—similar to the MilkSad flaw (CVE-2023-39910)—allowed attackers to breach over 5,000 wallets in just hours. The stolen coins, worth $3.5 billion at the time, stayed untouched until 2024, when they were allegedly transferred to wallets later controlled by the U.S. government.

A New Flashpoint in U.S.-China Cyber Relations

The China cyberattack accusation highlights growing geopolitical friction over technology and digital assets. The seized Bitcoin represents around 0.65% of the total Bitcoin supply, a significant sum with the potential to impact global markets if further disputes arise. While the U.S. has yet to formally respond to the latest claims, the case highlights how cybersecurity and cryptocurrency enforcement are becoming increasingly intertwined with international diplomacy. For now, both sides are standing firm: Beijing sees the seizure as a state-level hack, while Washington continues to frame it as a legitimate law enforcement action.

The UK government has unveiled the Cyber Security and Resilience Bill, a landmark move to strengthen UK cyber defences across essential public services, including healthcare, transport, water, and energy. The legislation aims to shield the nation’s critical national infrastructure from increasingly complex cyberattacks, which have cost the UK economy nearly £15 billion annually. According to the latest Cyble report — “Europe’s Threat Landscape: What 2025 Exposed and Why 2026 Could Be Worse”, Europe witnessed over 2,700 cyber incidents in 2025 across sectors such as BFSI, Government, Retail, and Energy. The report highlights how ransomware groups and politically motivated hacktivists have reshaped the regional threat landscape, emphasizing the urgency of unified cyber resilience strategies.

Cyber Security and Resilience Bill to Protect Critical National Infrastructure

At the heart of the new Cyber Security and Resilience Bill is the protection of vital services that people rely on daily. The legislation will ensure hospitals, water suppliers, and transport operators are equipped with stronger cyber resilience capabilities to prevent service disruptions and mitigate risks from future attacks. The Cyber Security and Resilience Bill will, for the first time, regulate medium and large managed service providers offering IT, cybersecurity, and digital support to organisations like the NHS. These providers will be required to report significant incidents promptly and maintain contingency plans for rapid recovery. Regulators will also gain authority to designate critical suppliers — such as diagnostic service providers or energy suppliers — and enforce minimum security standards to close supply chain gaps that cybercriminals could exploit. To strengthen compliance, enforcement will be modernised with turnover-based penalties for serious violations, ensuring cybersecurity remains a non-negotiable priority. The Technology Secretary will also have powers to direct organisations, including NHS Trusts and utilities, to take urgent actions to mitigate threats to national security.

UK Cyber Defences Face Mounting Pressure Amid Rising Attacks

Recent data shows the average cost of a significant cyberattack in the UK now exceeds £190,000, amounting to nearly £14.7 billion in total annual losses. The Office for Budget Responsibility (OBR) warns that a large-scale attack on critical national infrastructure could push borrowing up by £30 billion, equivalent to 1.1% of GDP. These findings align closely with Cyble’s Europe’s Threat Landscape report, which observed the rise of new ransomware groups like Qilin and Akira and a surge in pro-Russian hacktivism targeting European institutions through DDoS and defacement campaigns. The report also revealed that the retail sector accounted for 41% of all compromised access sales, demonstrating the widespread impact of evolving cybercrime tactics. Both the government and industry experts agree that defending against these threats requires a unified approach. National Cyber Security Centre (NCSC) CEO Dr. Richard Horne emphasised that “the real-world impacts of cyberattacks have never been more evident,” calling the Bill “a crucial step in protecting our most critical services.”

Building a Secure and Resilient Future

The Cyber Security and Resilience Bill represent a major shift in how the UK safeguards its people, economy, and digital ecosystem. By tightening cyber regulations for essential and digital services, the government seeks to reduce vulnerabilities and strengthen the UK’s cyber resilience posture for the years ahead. Industry leaders have welcomed the legislation. Darktrace CEO Jill Popelka praised the government’s initiative to modernise cyber laws in an era where attackers are leveraging AI-driven tools. Cisco UK’s CEO Sarah Walker also noted that only 8% of UK organisations are currently “mature” in their cybersecurity readiness, highlighting the importance of continuous improvement. Meanwhile, the Cyble report on Europe’s Threat Landscape warns that as state-backed operations merge with financially motivated attacks, 2026 could bring even more volatility. Cyble Research and Intelligence Labs recommend that organisations adopt intelligence-led defence strategies and proactive threat monitoring to stay ahead of emerging adversaries.

The Road Ahead

Both the Cyber Security and Resilience Bill and Cyble’s Europe’s Threat Landscape findings serve as a wake-up call: the UK and Europe are facing a new era of persistent cyber risks. Strengthening collaboration between government, regulators, and private industry will be key to securing critical systems and ensuring operational continuity. Organizations can explore deeper insights and practical recommendations from Cyble’s Europe’s Threat Landscape: What 2025 Exposed — and Why 2026 Could Be Worse report here, which provides detailed sectoral analysis and strategies to build a stronger, more resilient future against cyber threats.

The GRC platform market is witnessing strong growth as organizations across the globe focus on strengthening governance, mitigating risks, and meeting evolving compliance demands. According to recent estimates, the market was valued at USD 49.2 billion in 2024 and is projected to reach USD 127.7 billion by 2033, growing at a CAGR of 11.18% between 2025 and 2033.

This GRC platform market growth reflects the increasing need to protect sensitive data, manage cyber risks, and streamline regulatory compliance processes.

Rising Need for Governance, Risk, and Compliance Solutions

As cyberthreats continue to rise, enterprises are turning to GRC platforms to gain centralized visibility into their risk posture. These solutions help organizations identify, assess, and respond to potential risks, ensuring stronger governance and reduced operational disruption.

The market’s momentum is also fueled by heightened regulatory scrutiny and the introduction of new compliance frameworks worldwide. Businesses are under pressure to maintain transparency, accuracy, and accountability in their governance and reporting processes — areas where a GRC platform adds significant value.

By integrating governance, risk, and compliance management into one system, companies can make informed decisions, reduce human error, and ensure consistent adherence to evolving regulations.

 GRC Platform Market Insights and Key Segments

The GRC platform market is segmented based on deployment model, solution, component, end-user, and industry vertical.

• Deployment Model: The on-premises deployment model dominates the market due to enhanced security and customization options. It is preferred by organizations handling sensitive data or operating under strict regulatory environments.

• Solution Type: Compliance management holds the largest market share as businesses prioritize automation of documentation, tracking, and reporting to stay audit-ready.

• Component: Software solutions lead the market by offering analytics, policy management, and workflow automation to streamline risk processes.

• End User: Medium enterprises represent the largest segment, focusing on scalable solutions that balance security and efficiency.

• Industry Vertical: The BFSI sector remains a key adopter due to its complex regulatory landscape and high data security requirements.

Key Drivers of the GRC Platform Market

Several factors contribute to the rapid expansion of the GRC platform market:

1. Escalating Cyber Risks: As cyber incidents become more frequent and sophisticated, organizations seek to integrate cybersecurity measures within GRC frameworks. These integrations improve detection, response, and recovery capabilities.

2. Evolving Compliance Standards: Increasing regulatory pressure drives adoption of GRC solutions to ensure businesses stay aligned with global standards like GDPR, HIPAA, and ISO 27001.

3. Automation and Efficiency: Advanced GRC software reduces manual reporting and enhances accuracy, enabling faster audit responses and improved decision-making.

4. Operational Resilience: A robust GRC system ensures business continuity by minimizing vulnerabilities and improving crisis management strategies.

Regional Outlook and Future Trends

North America currently leads the GRC platform market, supported by mature digital infrastructure and strong regulatory frameworks. Meanwhile, the Asia-Pacific region is emerging as a key growth area, driven by increased cloud adoption and a rising focus on data privacy.

In the coming years, integration with AI, analytics, and threat intelligence tools will transform how organizations approach governance and risk. The market is expected to evolve toward more predictive and adaptive compliance solutions.

Leveraging Threat Intelligence for Stronger Risk Governance

As organizations expand their digital ecosystems, threat intelligence has become a vital part of effective risk management. Platforms like Cyble help enterprises identify, monitor, and mitigate emerging cyber risks before they escalate. Integrating such intelligence-driven insights into a GRC platform strengthens visibility and helps build a proactive security posture.

For security leaders aiming to align governance with real-time intelligence, exploring a quick free demo of integrated risk and compliance tools can offer valuable perspective on enhancing organizational resilience.

In a major step toward transparency in digital commerce, New York’s Algorithmic Pricing Disclosure Act officially took effect on November 10, 2025, requiring businesses to disclose when they use personalized algorithmic pricing to determine what consumers pay. The new New York law mandates that any company using automated pricing systems based on personal data must display a clear and visible notice stating, “This price was set by an algorithm using your personal data.” Companies that fail to comply could face civil penalties of up to $1,000 per violation, marking one of the most stringent algorithmic pricing disclosure requirements in the United States.

Scope and Impact of Personalized Algorithmic Pricing Law

Under the Algorithmic Pricing Disclosure Act, businesses operating in or serving customers within New York must disclose if they use personalized algorithmic pricing — defined as dynamic pricing set by an algorithm that uses personal data. The law broadly defines personal data as any information that identifies or could reasonably be linked, directly or indirectly, to a specific consumer or device. This includes data derived from online behavior, purchase history, device identifiers, or other digital footprints — regardless of whether users voluntarily provided such data. Entities covered by the law include those domiciled or conducting business in New York, regardless of where their headquarters are based, if they promote algorithmically determined prices to consumers in the state. The law also clarifies that certain data uses and sectors are exempt. For instance, location data used solely by transportation network companies and for-hire vehicles to calculate fares based on mileage or trip duration is excluded. Additionally, regulated financial institutions, insurance companies, and businesses offering subscription-based contracts fall outside the Act’s scope.

Court Upholds the Algorithmic Pricing Disclosure Act

Implementation of the Algorithmic Pricing Disclosure Act had been delayed following a First Amendment challenge in the Southern District of New York. The case questioned whether compelling companies to disclose algorithmic pricing practices infringed upon free speech rights. However, the court upheld the law’s constitutionality, ruling that the required disclosure was “plainly factual” and not controversial merely because businesses might prefer not to reveal their pricing methods. With this ruling, enforcement proceeded without further delay.

Attorney General’s Office to Enforce Personalized Algorithmic Pricing Compliance

New York Attorney General Letitia James has made clear her intention to rigorously enforce the new algorithmic pricing disclosure law. On November 5, 2025, her office issued a consumer alert urging residents to report companies that fail to display the required notices through an official online complaint form. The Attorney General’s Office is empowered to investigate potential violations whenever there is “reason to believe” a company is not in compliance. This can include complaints from consumers or findings from state-led audits. Violators will first receive a notice to cure alleged violations within a specified period. If they fail to take corrective action, the Attorney General can seek injunctions and monetary penalties — up to $1,000 per instance, without any maximum cap. Importantly, enforcement does not require proof of individual consumer harm or financial loss, making it easier for regulators to act swiftly.

The Attorneys General of California, Connecticut, and New York have announced a $5.1 million settlement with Illuminate Education, Inc., an educational technology company, for failing to adequately protect student data in a 2021 cyber incident. The Illuminate Education data breach exposed the personal information of millions of students across the United States, including over 434,000 students in California alone. The settlement includes $3.25 million in civil penalties for California and a series of court-approved requirements to strengthen the company’s cybersecurity posture. The announcement marks one of the most significant enforcement actions under California’s K-12 Pupil Online Personal Information Protection Act (KOPIPA), highlighting growing regulatory attention on the privacy of children’s data in the digital age.

Illuminate Education Data Breach That Exposed Sensitive Student Data

The 2021 Illuminate education data breach occurred when a hacker gained access to Illuminate’s systems using credentials belonging to a former employee, an account that had never been deactivated. Once inside the network, the attacker created new credentials, maintained access for several days, and stole or deleted student data. The compromised information included names, races, medical conditions, and details related to special education services — all considered highly sensitive personal data. An investigation by the California Department of Justice found that Illuminate failed to implement basic cybersecurity practices, including:

• Terminating access for former employees
• Monitoring suspicious logins or activities
• Securing backup databases separately from live systems

Investigators also revealed that Illuminate had made misleading claims in its Privacy Policy, suggesting its safeguards met federal and state requirements when they did not. The company had even advertised itself as a signatory of the Student Privacy Pledge, only to be removed after the breach.

Legal and Regulatory Response

California Attorney General Rob Bonta called the case “a reminder to all tech companies, especially those handling children’s data, that California law demands strong safeguards.” “Illuminate failed to appropriately safeguard the data of school children,” Bonta said. “Our investigation revealed troubling security deficiencies that should never have happened for a company entrusted with protecting sensitive data about kids.” Connecticut Attorney General William Tong added that the case marked the first enforcement action under Connecticut’s Student Data Privacy Law. “Technology is everywhere in schools today,” he said. “This action holds Illuminate accountable and sends a clear message to educational technology companies that they must take privacy obligations seriously.” New York Attorney General Letitia James echoed similar concerns: “Students, parents, and teachers should be able to trust that their schools’ online platforms are safe and secure. Illuminate violated that trust and failed to take even basic steps to protect student data.”

Compliance Measures and Industry Lessons

As part of the settlement, Illuminate has agreed to:

• Strengthen account management and terminate credentials of former employees.
• Enable real-time monitoring for suspicious activity.
• Segregate backup databases from active networks.
• Notify authorities promptly in case of future breaches.
• Remind school districts to review stored student data for retention and deletion compliance.

This Illuminate Education data breach case follows several other enforcement actions led by Attorney General Bonta, including settlements with Sling TV, Blackbaud, and Tilting Point Media, each involving data privacy violations.

EdTech Sector Under Radar

The Illuminate case emphasizes the critical need for cybersecurity in educational technology. As schools increasingly depend on digital platforms, student data has become a prime target for cybercriminals. Experts emphasize that proactive measures such as continuous monitoring, identity management, and early threat detection are essential to prevent similar incidents. Platforms like Cyble Vision are designed to help organizations detect breaches, monitor risks in real-time, and safeguard sensitive data against evolving cyber threats. For education providers, regulators, and enterprises alike, this case serves as a clear signal — cyber negligence is no longer an option. To learn how Cyble can help strengthen your organization’s data protection and threat monitoring capabilities, request a demo and see how proactive intelligence can prevent the next breach.

The Government of India’s Department of Pension & Pensioners’ Welfare (DoPPW) has launched the Digital Life Certificate (DLC) Campaign 4.0, a national drive to make pension services more accessible and efficient for millions of retired central government employees. The Digital Life Certificate 4.0 initiative aims to simplify how pensioners verify their annual life certificates — an essential process to continue receiving pension benefits. Through Face Authentication Technology, biometric devices, mobile applications, and doorstep services, pensioners can now complete the process without visiting a government office or bank.

Simplifying Pension Submissions Through Digital Life Certificate 4.0

The Digital Life Certificate 4.0, also known as Jeevan Pramaan, is a key part of India’s digital governance efforts. It allows pensioners to verify their identity remotely, reducing the need for in-person visits and paperwork. This move is especially beneficial for elderly citizens and those living in distant locations, including Indian pensioners residing overseas. The Department of Pension & Pensioners’ Welfare continues to expand its reach through the DLC 4.0 campaign, running from November 1 to November 30, 2025, to ensure that every pensioner can submit their life certificate easily and securely through digital means. [caption id="attachment_106602" align="aligncenter" width="725"] Source: https://www.staffnews.in/2025/11/[/caption]

Strengthening Cybersecurity Awareness

With the growing adoption of online systems, the department has also issued an important cybersecurity advisory to protect pensioners from fraud, identity theft, and misuse of personal information. The India pensioners cybersecurity advisory emphasizes that while digital services improve convenience, cybersecurity awareness is crucial to ensure safe transactions. Below are the key precautions the department has advised all pensioners to follow:

1. Use Only Authorized Platforms

Pensioners should submit their Digital Life Certificate 4.0 only through verified government channels such as:

• The official Jeevan Pramaan Portal
• The Post Office app
• The Aadhaar Face RD Application

The government has cautioned against using unverified apps or agents claiming to assist with certificate submissions.

2. Safeguard Personal Information

Pensioners are advised not to share their Aadhaar number, OTPs, bank details, Pension Payment Order (PPO) number, or mobile number with anyone other than authorized officials. Sharing such details can lead to financial or identity-related fraud.

3. Beware of Fake Calls and Messages

The government clarified that no official agency will ever ask for a pensioner’s password, bank PIN, or OTP over the phone or email. Pensioners are encouraged to double-check any communication claiming to be from a government source.

4. Keep Devices and Internet Secure

It is important to update mobile phones and computers with the latest software and antivirus protection. Pensioners should also use secure Wi-Fi or mobile networks while submitting their life certificates online.

5. Report Suspicious Activity

If pensioners suspect any misuse or fraudulent activity, they should immediately report it to their respective banks or file a complaint on India’s official Cyber Crime Portal at https://cybercrime.gov.in.

Building a Safer Digital Ecosystem

By combining convenience with cybersecurity, the Indian government is ensuring that digital initiatives like DLC 4.0 are both user-friendly and secure. The campaign represents a broader national effort to promote digital inclusion, enabling senior citizens to access government services with confidence. For pensioners—particularly those who may be less familiar with online systems—this advisory serves as an essential guide to safe digital practices. It reminds users that while technology makes life easier, vigilance remains the best defense against cyber threats. The Department of Pension & Pensioners’ Welfare’s advisory, issued with the approval of the competent authority, underscores India’s growing focus on building a secure and trusted digital future for its citizens. As the DLC 4.0 campaign continues through November 30, 2025, pensioners in India and abroad are encouraged to make use of these digital options—safely, confidently, and with full awareness of the cybersecurity measures that protect them.

California Attorney General Rob Bonta has announced a $530,000 Sling TV privacy fine against Sling TV LLC and Dish Media Sales LLC, marking the first enforcement action from the Department of Justice’s (DOJ) 2024 sweep of streaming services for compliance with the California Consumer Privacy Act (CCPA). The Sling TV privacy fine resolves allegations that the U.S.-based streaming service failed to make it easy for users to opt out of the sale of their personal data and did not provide adequate privacy protections for children. The company is also required to implement significant changes to how it handles user data and privacy requests.

Privacy Rights and Enforcement

The CCPA grants Californians several privacy rights, including the ability to know what data companies collect, to request deletion of personal information, and to opt out of the sale of their data. According to Attorney General Bonta, Sling TV violated these rights by creating confusing and burdensome procedures for consumers attempting to exercise their opt-out options. “Californians have critical privacy rights,” said Attorney General Bonta. “We take privacy rights seriously, and Sling TV was not providing consumers an easy way to opt out of the sale of their personal data as required. My office is committed to the continued enforcement of the CCPA — every Californian has the right to their online privacy, especially in the comfort of their living room.”

How Sling TV Fell Short

Sling TV operates as an internet-based live TV service offering both paid and ad-supported options. Unlike traditional broadcasting, Sling uses viewer data such as age, gender, location, and income to deliver targeted advertisements. The DOJ’s investigation found that the platform’s privacy settings and opt-out mechanisms were difficult to navigate and ineffective. Consumers seeking to opt out of data sales were directed to cookie preference settings, which did not actually prevent their information from being sold or shared. Even logged-in users, whose details were already known to Sling TV, had to complete lengthy web forms to process their requests. The company also lacked built-in opt-out options on streaming apps used on living room devices such as smart TVs. Additionally, Sling TV failed to provide appropriate protections for minors. It did not offer dedicated kids’ profiles that would limit targeted advertising or require parental consent when users under 16 were likely watching.

Terms of the Sling TV Privacy Fine Settlement

Under the settlement, which is subject to court approval, Sling TV must make several key changes:

• Simplify the opt-out process: Consumers can no longer be directed to cookie settings when attempting to exercise CCPA rights.
• Reduce redundant steps: Logged-in users will not be required to provide information already available to the company.
• Expand accessibility: The opt-out feature must be available directly through Sling TV’s app across different devices.
• Enhance child protections: Parents will be able to set up “kid’s profiles” that automatically block targeted advertising and data sales.
• Improve disclosures: The company must give parents clear information and tools to safeguard their children’s privacy.

Broader CCPA Enforcement Efforts

The Sling TV privacy fine marks the fifth major settlement under California’s privacy law since it took effect. Earlier cases include Healthline Media ($1.55 million), Tilting Point Media ($500,000), DoorDash, and Sephora — all for violations related to consumer data and opt-out requirements. Attorney General Bonta’s office has conducted multiple investigations across mobile apps, data brokers, and streaming platforms to ensure compliance with the state’s privacy law. The Attorney General emphasized that enforcing privacy rights remains a priority as Californians increasingly rely on connected devices and streaming services.

The Middle East Cybersecurity Market is experiencing unprecedented momentum, driven by rapid digital transformation, a surge in cyberattacks, and strong government-led security initiatives. According to a new report by Mordor Intelligence, the market is projected to expand from USD 20.55 billion in 2025 to USD 40.97 billion by 2030, growing at a robust 14.8% CAGR. As digital adoption accelerates across industries, cybersecurity in the Middle East has become a top business priority. Both public and private sectors are investing heavily in modern security frameworks to protect operational infrastructure, customer data, and national digital assets. The increasing frequency of targeted cyberattacks and complex ransomware incidents has reinforced the importance of building cyber resilience at every level of the ecosystem. Governments in the region, particularly within the GCC Cybersecurity Market, have integrated cybersecurity into national transformation agendas such as Saudi Vision 2030 and UAE Vision 2021. These initiatives view cybersecurity not merely as an IT function, but as a strategic pillar for ensuring economic stability, innovation, and citizen trust.

Middle East Cybersecurity Trends Driving Market Expansion

1. Rising Nation-State and Infrastructure Attacks: The rise in nation-state attacks has placed pressure on critical infrastructure operators and enterprises to strengthen defense postures. Long-term infiltration campaigns targeting regional energy and industrial networks have led to the adoption of zero-trust architectures and proactive threat monitoring systems, setting a new standard in the Middle East Cybersecurity Market.
2. Government-Driven Cybersecurity Initiatives: Across the GCC Cybersecurity Market, governments are driving progress through funding, regulations, and awareness programs. National “Vision” plans have institutionalized cybersecurity spending, fostering compliance, resilience testing, and workforce training across vital sectors like energy, finance, and healthcare.
3. Cloud Adoption Creating New Security Demands: The rapid migration toward cloud-first and SaaS environments is reshaping cybersecurity in the Middle East. Data sovereignty, identity management, and secure access are emerging as major challenges, prompting organizations to invest in advanced cloud security solutions. Public sector agencies, in particular, are deploying dedicated security layers to safeguard sensitive workloads.
4. Rise of AI and Managed Security Services: Artificial intelligence (AI) and automation are key forces behind Cybersecurity Market Growth in the region. AI-powered analytics enable faster threat detection and incident response, while Managed Security Service Providers (MSSPs) are consolidating capabilities through mergers and alliances to offer comprehensive, region-specific protection solutions.

Middle East Cybersecurity Market Insights and Breakdown

The Middle East Cybersecurity Market remains diverse and dynamic, with both international and local players expanding rapidly:

• Solutions accounted for 53% of market share in 2024, though services are projected to grow faster at 19% CAGR through 2030 as enterprises increasingly outsource cybersecurity operations.
• Cloud-based deployments are growing at 18.9% CAGR, outpacing traditional on-premise models that held 27.6% of the market in 2024.
• Large enterprises continue to dominate spending with 52.8% share, but SMEs are quickly catching up, growing at 17.8% CAGR as cyber threats become more democratized.
• The BFSI sector led with 21.4% revenue share in 2024, followed by healthcare, forecast to grow at 20.6% CAGR.
• Geographically, the United Arab Emirates leads with 30% share, while Israel is emerging as the fastest-growing market at 18% CAGR.

Drivers and Challenges

The key forces behind Cybersecurity Market Growth include rising nation-state attacks, cloud transformation, and regulatory cybersecurity mandates. AI-driven analytics and modernization of operational technology (OT) systems—particularly in oil and gas—are further enhancing demand. However, talent shortages remain a major challenge. The region’s accelerated digitalization has outpaced the availability of skilled cybersecurity professionals. For instance, utilities in Saudi Arabia are struggling to fill critical positions despite offering double-digit salary increases. Universities are responding with expanded programs, but expertise in AI security, cloud protection, and incident response remains limited. As governments continue to prioritize cyber resilience and local MSSPs strengthen their capabilities, the Middle East cybersecurity market is on track for sustained, double-digit growth over the coming decade.