Tag: data-breach
All items tagged data-breach.
- Brazil's national Cell Broadcast alert platform hijacked to push fake "Extreme Alert" messages to ~30M phones `[SINGLE-SOURCE]`
- FortiBleed — Russian-speaking operator cracking 86,644 FortiGate credentials into Active Directory
- ShinyHunters extortion brand — Council of Europe named, Kodak and One Medical added to the leak-site pressure
- Klue / Icarus — one dormant integration credential cascades into multi-tenant Salesforce CRM theft
- Public administration — named European institutions and government data in the firing line
- Education — exposed CMS and forum software stack a structural risk
- Healthcare — third-party exposure and a 16-month notification gap
- Energy, water & OT — perimeter and process failures, with an OT-adjacent halt
- Technology & SaaS supply chain — the week's busiest victim class
- Insider and process failures — Munich school data, a lost SSD, and an NHS records caution
- The third-party breach as the week's dominant entry vector
- EDPB adopts a harmonised GDPR Article 33 breach-notification template — consultation open to 5 August
- UK ICO left leaderless mid-restructure — Commissioner resigns with immediate effect
- UK Information Commissioner resigns with immediate effect — regulator left leaderless mid-restructure
- HCRG Care Group first notifies patients of a February 2025 Medusa breach — 16 months on `[SINGLE-SOURCE]`
- Texas Parks & Wildlife: 3.08M licence holders exposed via an unnamed third-party vendor — with a public-vs-AG-filing SSN contradiction
- Amazon's One Medical confirms a legacy-storage breach; ShinyHunters' 8.8TB claim is unverified and its deadline expires today `[SINGLE-SOURCE]`
- UPDATE: Klue OAuth-token breach — victim list grows, CRM-API abuse chain detailed
- Nintendo employee data stolen from third-party HR-survey SaaS (TinyPulse), not Nintendo's own systems
- Kodak confirms breach after ShinyHunters leak-site listing; June 18 deadline passed without publication
- UPDATE: FortiBleed reaches 86,644 compromised FortiGate devices; CISA issues emergency hardening guidance
- UK ICO issues criminal caution to London Clinic insider over Princess of Wales medical-record access
- Icarus extortion group turns a dormant Klue credential into bulk Salesforce CRM theft across customers
- FortiBleed — 73,932 internet-facing FortiGate devices exposed, Russian-speaking group cracking credentials into Active Directory
- Munich: ~120,000 student records suspected on the darknet — terminated employee under investigation
- UPDATE: Novo Nordisk — FulcrumSec claims authorship, $25M demand refused, data offered for private sale
- WordPress supply-chain compromise via Awesome Motive's CDN backdoors ~1.2M sites
- iRhythm discloses data theft via social engineering of a third-party-hosted application (SEC 8-K) [SINGLE-SOURCE]
- UPDATE: Council of Europe named as a victim of the Oracle PeopleSoft (CVE-2026-35273) campaign
- UPDATE: Novo Nordisk clarifies stolen-data scope — non-pseudonymised HCP data in play
- Handala breaches California Water Service through an internet-exposed RTKBase GNSS platform — billing PII for ~2M customers leaked, no OT access
- CVE-2026-35273 — Oracle PeopleSoft: confirmed zero-day exploited by ShinyHunters (UNC6240), education sector hit hardest
- Maine breach-notification portal hoax — fraudulent filings against VRChat and Discord, then the portal goes dark
- Education — ShinyHunters' PeopleSoft campaign lands disproportionately on universities
- Healthcare & energy — large-scale personal-data exposure from theft and from mishandling
- France's Tchap government messenger — account-takeover scrapes 73,467 civil servants' metadata
- Novo Nordisk — theft of non-public data including personal data
- South Korea fines Coupang a record ₩624.7 bn over an unrevoked signing key
- EDPB adopts a harmonised GDPR Article 33 breach-notification template
- Kyushu Electric subsidiary loses an unencrypted SSD with 10.9 million customer records — reportedly Japan's largest personal-data breach
- Novo Nordisk discloses theft of clinical-trial and healthcare-professional data
- South Korea fines Coupang a record ₩624.7 bn over an unrevoked signing key held by a former employee
- UPDATE: Oracle PeopleSoft CVE-2026-35273 attributed to ShinyHunters; confirmed zero-day, 100+ victims, education sector hit hardest
- UPDATE: Maine AG takes its breach-notification portal offline after confirming the VRChat/Discord filings were a hoax
- [SINGLE-SOURCE] Maine's breach-notification portal abused for fraudulent filings against VRChat and Discord — both companies deny any breach
- UPDATE: ShinyHunters PeopleSoft campaign — Oracle confirms CVE-2026-35273 and ships an out-of-band patch; Nottingham quantifies 455,000 records
- ServiceNow unauthenticated REST endpoint queried customer instance tables before a silent 5 June patch
- EDPB adopts a harmonised GDPR Article 33 breach-notification template; consultation open to 5 August
- France's Tchap government messenger breached via account takeover — 73,467 civil servants' metadata scraped, CNIL notified
- Meta discloses 20,225 Instagram account takeovers via an AI support-tool logic flaw; Maine AG notification filed 8 June
- Oxford University CareerConnect (Group GTI) breach exposes students at multiple UK universities
- ICO secures Proceeds-of-Crime confiscation from former RAC employees who sold ~30,000 customer records
- Healthcare — HIPAA breach + healthcare supply-chain exposure
- Finance / payments — Stripe-abusing Magecart and OFAC Iran sanctions
- Luna Moth / UNC3753: vishing-to-physical-USB data-theft extortion reaches ~$20 M suppression payment and DNS fast-flux C2
- ShinyHunters — DentaQuest: 234 GB HIPAA claims data published after ransom refusal, 2.6 M Medicaid and dental-benefit records
- Booking.com WhatsApp phishing + upstream hotel SaaS breach: real reservation data weaponised, 100+ properties affected, Dutch DPA opens investigation
- Hijacked polyfill[.]io domain reactivates, surfacing native browser credential prompts on sites that never removed legacy script tags
- Magecart family runs its skimmer out of Stripe — payload in customer metadata, stolen cards exfiltrated back through api.stripe.com
- UPDATE: ShinyHunters extortion campaign adds DentaQuest — 234 GB published after refusal to pay, 2.6 M dental-benefit records exposed
- NCSC Switzerland: Booking.com breach feeds two-pronged WhatsApp hotel-booking phishing against Swiss travellers
- Shared booking-software breach exposes guests at 100+ Dutch, Belgian and Irish hotels; phishing wave already underway
- UN World Food Programme breach exposes IDs and locations of ~600,000 Gaza households [SINGLE-SOURCE]
- Dashlane discloses TOTP brute-force that downloaded encrypted vaults of fewer than 20 users
- Spain arrests doxer who published personal data on INCIBE, prosecutorial and security-service staff
- UPDATE: ShinyHunters publishes the Charter Communications dataset after ransom refusal
- California AG sues former 23andMe (Chrome Holding Co.) over the 2023 genetic-data breach — bulk-enumeration coding error plus absent credential-stuffing defences
- CNIL fines IQVIA Operations France €5M for health data warehouse security failures: no MFA, no log monitoring, no network segmentation
- Carnival Corporation confirms 5.99 M-record ShinyHunters breach — passport + driver's-licence numbers exposed across four cruise brands
- TechCrunch finds 100 K passport scans and selfies on a public-read S3 bucket behind a UK Visa Portal lookalike
- Dutch National Police arrest 35-year-old over AFC Ajax fan-data breach — misconfigured API access-control and shared keys exposed 300,000+ accounts and 42,000 season-ticket records
- Lithuania's Centre of Registers loses ~600,000 state-register records to abused institutional credentials; foreign-state actor suspected
- UPDATE: ShinyHunters Salesforce campaign — Charter and 7-Eleven both confirm; 7-Eleven count put at ~185,000 affected
- UPDATE: ShinyHunters lists Charter Communications (Spectrum) — telco victim in the Salesforce-credential campaign
- ShinyHunters Salesforce-credential extortion — three named victims confirmed across the week, capped by Carnival's 5.99M-record disclosure
- Healthcare — administrative and imaging intermediaries remain the soft surface
- AFC Ajax — 300,000+ fan accounts exposed via misconfigured API access control; Dutch suspect arrested
- UK Visa Portal — ~100,000 passport scans and selfies on a public-read S3 bucket behind a government-lookalike site
- ShinyHunters Salesforce campaign — 40+ listed victims; Canada Life and Pitney Bowes confirm; the BreachForums extortion channel was previously seized
- Data-protection enforcement converges on a health-data controls floor — CNIL fines IQVIA €5M; California AG sues over 23andMe
- Six German university hospitals lose ~97,600+ patient records to a breach at billing processor Unimed
- Rhysida claims Stuttgart municipal-data theft for 5 BTC; city denies a confirmed incident
- ICO secures £355,880 POCA confiscation against former Markerstudy Insurance employee for off-hours bulk record access and sale [SINGLE-SOURCE]
- UPDATE: West Pharmaceutical Services — 8-K/A confirms full operational restoration, data investigation ongoing
- B1ack's Stash carding marketplace publicly releases 4.6M card records — SOCRadar attributes collection to e-skimming and phishing; not confirmed by issuing banks
- UPDATE: TeamPCP / Mini Shai-Hulud campaign — GitHub itself breached (~3,800 internal repos via poisoned VS Code extension), Microsoft `durabletask` PyPI worm propagates via AWS SSM and `kubectl exec`, Grafana confirms missed-token-rotation root cause
- UPDATE: TheGentlemen RaaS lists Czech university and Swiss engineering firm on leak site
- ARWINI (Lower Saxony statutory-prescription audit body) — investigators confirm data exfiltration after 4 May intrusion; Kairos ransomware group claims 2.87 TB; ~70,000 GDPR Art. 9 records in scope
- CISA contractor (Nightwing) exposed AWS GovCloud admin keys and internal credentials in public GitHub repo for ~6 months
- 7-Eleven confirms ShinyHunters breach of 600,000+ Salesforce franchise-application records — same campaign as Instructure, Vimeo, Wynn Resorts, Vercel, Medtronic
- UPDATE: Grafana Labs CoinbaseCartel breach — victim confirms source-code-only theft, no customer data, ransom rejected
- Healthcare (DACH) — the soft surface is the administrative intermediary, not the hospital
- Public administration — web-CMS and identity estate under multi-vector pressure
- Education — virtual-classroom platforms and EdTech SaaS exposure
- Six German university hospitals — patient records exfiltrated via billing processor Unimed
- ARWINI (Lower Saxony prescription-audit body) — exfiltration confirmed; Kairos claims 2.87 TB including ~70,000 GDPR Art. 9 records
- 7-Eleven — ShinyHunters Salesforce campaign claims another 600,000+ records
- Grafana Labs / CoinbaseCartel — source-code-only theft confirmed; ransom rejected; detected by canary token
- West Pharmaceutical Services — 8-K/A confirms full operational restoration
- Rhysida claims Stuttgart municipal data — city denies a confirmed incident [SINGLE-SOURCE / unconfirmed]
- Canvas / Instructure extortion — ransom paid, US House investigation, second-intrusion vulnerability re-exploited
- Healthcare
- Manufacturing
- Hospitality
- WordPress retail / e-commerce
- BWH Hotels — 181-day unauthorised access to guest-reservation web application
- Clinical Diagnostics / NMDL — Dutch IGJ formal NEN 7510 non-conformity ruling
- West Pharmaceutical Services — SEC Form 8-K Item 1.05 [SINGLE-SOURCE-OTHER]
- Škoda Auto Deutschland — online-shop breach exposes customer PII and password hashes
- South Staffordshire Water — ICO £963,900 fine
- node-ipc npm package — backdoored via expired-domain account takeover
- Verizon DBIR 2026 (19th annual edition)
- Canvas / Instructure — ShinyHunters / WorldLeaks ransom-paid, US House investigation
- EDPB Coordinated Enforcement Framework 2026 — 25 DPAs investigating GDPR Articles 12–14 transparency
- FunnelKit "Funnel Builder for WooCommerce" actively exploited as Magecart skimmer on 40,000+ WordPress stores — no CVE assigned
- GTIG: UNC6671 "BlackFile" vishing → AiTM → rogue-MFA → programmatic SharePoint exfiltration of 1M+ files per victim; DLS shutdown signals probable rebrand [SINGLE-SOURCE]
- `node-ipc` npm package backdoored via expired-domain account takeover — 90+ credential categories exfiltrated, three malicious versions, ~3-minute window to detection
- Sophos 2026 State of Identity Security: Switzerland records highest identity-breach incidence globally; energy and federal government hardest-hit sectors [SINGLE-SOURCE]
- UPDATE: TeamPCP / Mini Shai-Hulud — OpenAI named as victim; code-signing certificate rotation enforced for all macOS apps
- Dutch IGJ rules Clinical Diagnostics/NMDL failed NEN 7510 information-security standard at time of July 2025 ransomware breach; ~941,000 patients affected, cervical-cancer screening data exposed
- GemStuffer — RubyGems weaponised as a one-way exfiltration channel scraping UK local-authority ModernGov portals; new abuse pattern targets the asymmetric monitoring gap between package pull and push
- Foxconn confirms Nitrogen ransomware crippled North-American manufacturing sites; 8 TB / 11M files claimed
- BWH Hotels (Best Western, WorldHotels, Sure Hotels) — 181-day unauthorised access to a guest-reservation web application, six EU brands in scope
- UPDATE: Instructure Canvas — US House Homeland Security Committee opens formal investigation; Instructure paid ransom
- ICO fines South Staffordshire Water £963,900 — water-sector OES with partial SIEM coverage; Cl0p attribution and ZeroLogon kill-chain detail sourced to The Record
- BKA and ZIT dismantle relaunched Crimenetwork darknet marketplace; German operator arrested in Mallorca on European Arrest Warrant
- [SINGLE-SOURCE-OTHER] West Pharmaceutical Services files SEC Form 8-K Item 1.05 — data exfiltrated, systems encrypted, global operations partially restarted
- Škoda Auto Deutschland online-shop breach exposes customer PII and password hashes; logging gap prevents exfiltration confirmation
- UPDATE: Instructure (Canvas LMS) — ransom paid to ShinyHunters with "shred logs"; second intrusion confirmed; per-institution leak deadline reset to today
- Treat the Instructure Canvas "shred logs" as legally unverifiable; align with EU university IR teams on per-institution deadline today
- Akira ransomware on Groupe 3R — 20 Swiss medical-imaging centres across seven cantons; second cyberattack on the same operator within twelve months
- ShinyHunters / WorldLeaks — week-long cross-incident operator activity touching Inditex, Vimeo, ADT, and Instructure / Canvas
- Canvas / Instructure breach — five-day arc from first claim to seven Dutch universities executing emergency disconnects
- Healthcare (CH, NL)
- Education (NL, UK, DE)
- Public-sector administration and digital identity (FR, EU, FI, CH)
- Transport (NL/EU)
- Media and political (HU, DE)
- AI tooling SaaS (multi-tenant credential aggregation, US)
- DigiCert support portal compromise — Salesforce-based support-chat social engineering yielded 60 fraudulent EV code-signing certificates
- Trellix source code repository breach — vendor confirmed, scope undisclosed, supply-chain integrity question open
- Google Threat Intelligence Group — Europe data-leak landscape 2025
- ShinyHunters / WorldLeaks family (financial-data extortion, third-party-SaaS pivot)
- Qilin / Agenda RaaS — Die Linke confirms Q2 2026 German activity continuity
- The Gentlemen RaaS — Europe-skewed operation surged approximately 448% QoQ; 32% of Q1 2026 victims in Europe; FortiGate CVE-2024-55591 initial-access funnel
- Akira playbook quarterly context — Q1 2026 healthcare concentration; Qilin remains the dominant operator on German healthcare victims
- Europol shadow-IT — LIBE committee MEPs call for mandate-expansion pause; EDPS sanctioning toolkit identified as binary
- Groupe 3R (Réseau Radiologique Romand) — Akira ransomware claims 48 GB; 20 imaging centres across seven Swiss cantons, second attack in twelve months
- Braintrust AI evaluation platform AWS account breach — multi-tenant LLM-provider keys and SaaS credentials at risk; mandatory key rotation across customer base
- UPDATE: Canvas/Instructure — ShinyHunters claims a *second* intrusion despite May 8 patches; seven Dutch universities executed emergency disconnects on/before May 9
- Rotate organisation-level upstream LLM keys held by Braintrust customers
- Inditex (Zara) — ShinyHunters publishes 140 GB; 197,400 EU customer records confirmed via third-party analytics compromise
- UPDATE: Canvas/Instructure extortion — Oxford, Cambridge, Liverpool issue public statements; 44 Dutch universities confirmed; May 12 deadline active
- Qilin ransomware hits Die Linke (Germany): 1.5 TB claimed, DPA notified (~April 2026, first coverage)
- Eurail breach: 308 777 travellers notified three months after December 2025 compromise; Dutch DPA and EDPS open reviews
- UPDATE — Instructure/Canvas extortion: 330 institutions across six countries; May 12 extortion deadline; 44 Dutch institutions confirmed