Nearly seven million people are being notified after a cyberattack on Atlanta-based auto insurer AssuranceAmerica exposed highly sensitive personal information, including driver's license numbers, Social Security numbers and insurance records, raising concerns about long-term identity theft risks.
According to the company's breach notice and filings submitted to state regulators, the incident began on March 16, 2026, when a threat actor gained unauthorized access to AssuranceAmerica's internal network using compromised employee credentials obtained through a phishing attack. The company detected suspicious activity the following day, secured the affected systems, and launched a forensic investigation to determine the scope of the compromise.
The investigation later revealed that the attackers had copied files containing personal information belonging to approximately 6.99 million individuals. The exposed data varies by person but may include names, residential addresses, driver's license numbers, Social Security numbers, taxpayer identification numbers, insurance policy and account details, claims information, as well as driver and vehicle records.
The scale of the breach makes it one of the larger disclosures involving government-issued identity documents this year. South Carolina alone reported that 611,046 residents may have been affected, according to the state's Department of Consumer Affairs.
Unlike passwords, driver's license numbers are not easily replaced after they are exposed. These identifiers are widely used to verify identity across banks, insurers, vehicle rental companies, government agencies and financial institutions. When combined with Social Security numbers and other personally identifiable information, they can enable criminals to apply for loans, open fraudulent accounts, submit false tax returns or impersonate victims during identity verification processes.
Law firm Edelson Lechtzin LLP, which announced an investigation into the incident, warned that the compromised information could be used to facilitate identity theft and other forms of financial fraud.
Although AssuranceAmerica identified the intrusion within roughly 24 hours, affected individuals were not notified until late June after investigators completed their review of the compromised data on June 15. The nearly three-month gap between the initial breach and customer notifications has drawn attention to the time required to determine exactly whose information had been accessed before notifications could be issued.
In its public notice, AssuranceAmerica said it disabled the compromised accounts, reset credentials, strengthened network monitoring and provided additional cybersecurity awareness training to employees. The company also engaged external forensic specialists to investigate the incident. However, it has not publicly confirmed whether all affected individuals will receive complimentary credit monitoring or identity protection services.
The AssuranceAmerica breach comes amid a growing number of incidents involving government-issued identity documents. In June, Texas disclosed a separate cyberattack affecting approximately three million driver's license and passport records maintained by the Texas Parks and Wildlife Department, adding to a broader trend of organizations reporting the theft of sensitive identification data.
The growing reliance on digital identity verification has also increased the amount of personal identification collected by businesses and online platforms. As governments and private organizations increasingly require users to upload driver's licenses and other official documents for account verification and age checks, cybersecurity experts warn that breaches involving these records can have lasting consequences because many of these identifiers cannot be easily changed once exposed.
Individuals who may have been affected are encouraged to closely review financial and insurance accounts for suspicious activity, consider placing a credit freeze or fraud alert with the major credit bureaus, monitor their credit reports for unauthorized accounts and remain cautious of phishing emails or phone calls that attempt to exploit information exposed during the breach. Victims should also follow guidance issued by their state consumer protection agencies and promptly report any suspected identity theft.
The Coca-Cola Company has revealed that a ransomware attack targeting its Fairlife dairy business has temporarily disrupted production across the United States after threat actors gained unauthorized access to company systems, including those supporting manufacturing operations.
The incident was disclosed in a Form 8-K filing with the U.S. Securities and Exchange Commission (SEC), a regulatory filing used by publicly traded companies to report significant corporate events. According to Coca-Cola, the cyberattack affected certain Fairlife systems, including production-related infrastructure, prompting the company to temporarily suspend manufacturing at its U.S. facilities while recovery efforts are underway.
Upon detecting the unauthorized activity, Coca-Cola said it immediately activated its incident response and business continuity protocols to contain the incident and minimize operational disruption. The company has engaged external cybersecurity advisors and experts to support its investigation and recovery efforts, while law enforcement has also been notified.
Although manufacturing operations have been interrupted, Coca-Cola emphasized that the ransomware attack has not affected the quality or safety of Fairlife products. The temporary production halt is part of the company's response as it works to restore impacted systems and verify operational readiness before resuming normal manufacturing activities. Fairlife's Canadian production facilities continue to operate normally and have not been affected by the incident.
The company said its investigation remains ongoing and that it is continuing to assess both the nature of the attack and its potential business impact. At this stage, Coca-Cola has not determined whether the incident is reasonably likely to have a material effect on the company's financial condition or overall operations.
Fairlife is one of Coca-Cola's dairy brands and manufactures a range of ultra-filtered milk products, protein shakes and nutrition beverages sold across the United States. Its product portfolio includes Ultra-Filtered Milk, Core Power Protein Shakes and Nutrition Plan.
Several aspects of the incident remain undisclosed. Coca-Cola has not confirmed whether attackers exfiltrated any data during the intrusion, whether the company has received an extortion demand or which ransomware operation may be responsible for the attack. As of publication, no known ransomware group has publicly claimed responsibility for the incident.
Ransomware attacks increasingly target organizations' operational environments in addition to traditional corporate networks, as disrupting production can exponentially multiply pressure on victims during recovery efforts. Many modern ransomware operations also employ double-extortion tactics by stealing sensitive information before encrypting systems and later threatening to publish the stolen data unless a ransom is paid. However, Coca-Cola has not indicated that any data theft occurred in this incident, and there is currently no public evidence confirming that attackers exfiltrated information from Fairlife's systems.
When asked whether data had been stolen, whether the company had received an extortion demand or which ransomware group may have been behind the attack, a Coca-Cola spokesperson declined to provide additional details beyond the company's public statement.
Coca-Cola continues to restore affected systems while its investigation remains ongoing, with U.S. Fairlife production expected to resume once recovery efforts are completed and manufacturing systems have been safely brought back online.
Mount Royal University (MRU) has confirmed that threat actors stole data and deleted files after breaching the university's network in a cyberattack that continues to affect recovery efforts weeks after the incident.
In an update published on its website, the Calgary-based public university said the attack occurred on June 17 and that internal technical teams are working alongside external cybersecurity specialists to investigate the intrusion, determine its full scope, and restore affected systems.
The cyberattack disrupted a wide range of university services, including internet connectivity, online platforms, and several internal systems used across campus. Recovery efforts remain ongoing, with the university warning that restoring all affected services may take several weeks or, in some cases, months.
According to the university's investigation, attackers gained unauthorized access to data stored on the institution's "H drive," a file storage system used by students and employees. Investigators have confirmed that files stored within certain folders were accessed and exfiltrated before the attackers deleted the original copies, a move that has further complicated recovery operations.
"We regret to inform our community that our investigation has now shown that data within certain folders on the University's 'H drive' was accessed and taken by an unauthorized actor," the university said in its advisory.
MRU said the affected folders contained information relating to current and former students, current and former employees, as well as other individuals whose data was stored within the impacted environment. The university has not yet disclosed the exact categories of information exposed or the total number of people affected.
The investigation also found that attackers deleted data stored on a separate departmental file storage system known as the "J drive." While the university said there is currently no evidence that information from the J drive was accessed or copied before it was erased, officials cautioned that recovering the deleted data remains an ongoing process and acknowledged that a complete restoration may not be possible.
The university has reported the incident to the Alberta Information and Privacy Commissioner and notified law enforcement authorities. Officials added that determining the precise impact for each affected individual will take time because the deletion of files has made forensic analysis more complex. Individuals whose information is confirmed to have been affected will receive direct notifications as the investigation progresses.
Responsibility for the attack has been claimed by the cybercrime group CMD Organization, which has published samples of what it alleges is stolen university data, including passport scans and other sensitive documents.
The group is demanding a ransom of 30 Bitcoin, valued at approximately $1.9 million at current exchange rates, and has reportedly given the university six days to respond before releasing additional data. CMD Organization also appears to operate an auction-based extortion model, advertising exclusive access to stolen datasets for the highest bidder through both clear web and dark web leak sites. At the time of writing, the group lists approximately 30 organizations on its extortion portal.
Founded more than a century ago, Mount Royal University currently serves about 11,560 students, including roughly 12,500 undergraduate learners.
As recovery work continues, the university said it will provide additional updates as more information becomes available. MRU is also offering two years of credit monitoring and identity theft protection to current employees and individuals who have worked at the university within the past five years.
A large-scale password spraying campaign targeting Microsoft 365 environments through Microsoft’s Azure Command-Line Interface (Azure CLI) generated more than 81 million authentication attempts and compromised at least 78 user accounts across 64 organizations, according to cybersecurity firm Huntress.
Huntress said the activity was observed between June 12 and June 21, with attackers typically compromising two to four accounts per day before activity surged around June 22, when 23 organizations were affected. Most of the login attempts originated from AS32167, an autonomous system associated with hosting provider LSHIY LLC.
The company said the campaign formed part of a larger wave of credential-spraying attacks spanning multiple autonomous systems and noted that the volume of such attacks across its customer base has increased more than 155-fold during the past six months. Investigators believe the operation relied primarily on previously exposed username-and-password combinations obtained from credential leak collections.
A key element of the campaign was the use of the OAuth Resource Owner Password Credentials (ROPC) flow through Azure CLI. Although ROPC has been deprecated in OAuth 2.1, it can still exchange valid usernames and passwords directly for access tokens without an interactive sign-in prompt. Huntress said this allowed attackers to authenticate successfully in environments where multi-factor authentication policies did not fully cover that authentication flow.
The investigation identified several configuration gaps among affected organizations, including MFA policies applied only to certain cloud applications or user groups, enforcement limited to non-trusted locations, and policies that had been configured but never enforced. Huntress also found that eight impacted organizations had no MFA policy enabled.
Huntress emphasized that the findings should not be interpreted as evidence that MFA is ineffective. Instead, organizations should review Conditional Access policies, eliminate deprecated authentication methods where possible, ensure MFA protections apply to all supported sign-in flows, and monitor Azure CLI authentication activity for unusual login patterns.
The IPv6 address range used in the campaign belongs to LSHIY, an internet infrastructure provider registered in Hong Kong, Wuhan, China, and New York. Huntress said it reported the activity through the provider’s abuse-reporting channel but had not received a response.
The company had earlier disclosed that its corporate IT infrastructure had been compromised by hackers. The cyber extortion group ShinyHunters later claimed responsibility for the attack, alleging it had obtained around 9 million records containing personally identifiable information (PII) and internal corporate data.
According to the notification shared by the company, “On April 15, 2026, Medtronic became aware of unusual activity on certain corporate IT systems.”
The notice further states, “Medtronic launched an investigation with the assistance of leading third-party cybersecurity experts to determine the impact and scope of the incident.”
Following the investigation, the company concluded that “The investigation determined that from April 13 to April 19, 2026, an unauthorized actor accessed certain Medtronic corporate IT systems.”
The information that may have been exposed includes:
Full name
Contact information
Date of birth
Social Security number
Health-related information
ShinyHunters is known for publishing stolen information when ransom demands are not met. The group reportedly added Medtronic to its dark web leak site on April 18, claiming it possessed more than 9 million records and warning that the data would be released if a ransom was not paid by April 21.
However, the listing disappeared from the group's portal later that month. In its customer notification, Medtronic clarified that the compromised data has not been made publicly available online.
Medtronic operates in over 150 countries and employs approximately 95,000 people, generating annual revenue of around $33.5 billion.
Despite the breach involving customer information, the company has reassured users that its medical devices continue to operate safely and were not impacted by the cybersecurity incident.
Customers receiving breach notifications are being encouraged to enroll in the company's complimentary 24-month credit monitoring and identity theft protection program to reduce potential risks.
The company has also advised affected individuals to stay alert for suspicious emails, messages, or calls that could exploit the exposed information for phishing, social engineering, or other fraudulent activities. Customers are also encouraged to regularly review their account activity for any signs of unauthorized access.
The attack leveraged CVE-2026-35273, a critical vulnerability with a CVSS score of 9.8. The flaw exists in the Updates Environment Management (PSEMHUB) component of Oracle PeopleSoft PeopleTools versions 8.61 and 8.62. It allows attackers to move from an unauthenticated Server-Side Request Forgery (SSRF) attack to full Remote Code Execution (RCE) without requiring user interaction or authentication. Because the vulnerability can be exploited over standard HTTP, any exposed and unpatched server is at significant risk.
Oracle released an emergency security update on June 10, 2026, to address the flaw. Two days later, the vulnerability was added to the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog after evidence of active exploitation.
According to security researchers at Mandiant and Google’s Threat Intelligence Group (GTIG), the ShinyHunters group began exploiting the vulnerability as early as May 27, 2026—more than two weeks before Oracle publicly disclosed the issue. During that period, attackers reportedly compromised more than 300 Oracle PeopleSoft instances across over 100 organizations using automated attack tools.
Breach notifications submitted to the California Attorney General’s Office revealed that Nissan Americas was among the organizations impacted during the wider campaign. The company's investigation found that the intrusion occurred between May 27 and June 9, 2026.
The compromised information may include employee contact details, banking information, Social Security Numbers (SSN), Social Insurance Numbers (SIN), National Identification Numbers, financial and tax records, as well as dependent and beneficiary information. The incident affects both current and former employees in the U.S., Canada, Mexico, and Brazil.
Following the discovery of the breach, Nissan activated its incident response procedures, brought in external cybersecurity experts, and coordinated with law enforcement agencies. As part of its containment measures, the company limited payroll system access, allowing employees to view pay slips and modify direct deposit details only through corporate network computers or secure VPN connections. Additional identity verification measures have also been introduced for payroll-related requests. Nissan said it is providing complimentary credit monitoring and dark web monitoring services to eligible affected individuals.
Mandiant's investigation found that attackers installed MeshCentral remote management agents on compromised systems while disguising them as legitimate Microsoft Azure services, including meshagent64-azure-ops.exe. Command-and-control communications were routed through wss://azurenetfiles[.]net:443/agent.ashx.
The attackers also carried out post-compromise activities such as reviewing PeopleSoft configurations, moving laterally across networks, and compressing stolen data using zstd before exfiltration. Infected servers were left with a ransom note named README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT.
Cybersecurity firms Rapid7 and Mandiant have urged organizations running Oracle PeopleTools 8.61 or 8.62 to immediately apply Oracle’s security updates. They also recommend disabling or restricting access to the PSEMHUB service, blocking external access to /PSEMHUB/* and /PSIGW/HttpListeningConnector, monitoring outbound SMB traffic for potential NetNTLM hash capture attempts, investigating systems for signs of compromise even after patching, and rotating credentials that may have been exposed.
The incident represents the second major Oracle ERP zero-day vulnerability with a CVSS score of 9.8 to be actively exploited in less than eight months. It follows the exploitation of CVE-2025-61882 in Oracle E-Business Suite by the Cl0p ransomware group in 2025, highlighting the growing focus of organized cybercriminal groups on enterprise resource planning (ERP) platforms.
Japanese telecommunications giant KDDI Corporation has disclosed a cybersecurity incident that may have compromised the email credentials of millions of users. According to the company, attackers gained unauthorized access to an email system that supports services for five internet service providers (ISPs) in Japan.
KDDI detected the security breach on June 17 and said it took immediate action to block the attackers while deploying additional security measures to contain the incident.
The company's investigation found that the intrusion occurred after threat actors exploited a vulnerability in third-party software used within KDDI's email infrastructure.
"Although technical defensive measures have already been implemented for the system, there remains a possibility that customers' email addresses and passwords were obtained by unauthorized third parties as a result of the incident," KDDI warns.
KDDI, one of Japan's largest internet service providers, employs around 45,000 people and generates annual revenue of approximately $32.4 billion. Established in 2000 through the merger of IDO, DDI, and KDD, the company serves millions of customers across the country.
The breach impacted email services operated by the following ISPs:
STNet, Inc.
JCOM Co., Ltd.
Chubu Telecommunications Co., Inc.
NIFTY Corporation
BIGLOBE Inc.
While the investigation remains ongoing, KDDI estimates that email addresses and passwords belonging to as many as 14.22 million current, former, and inactive customer accounts may have been exposed.
The company noted that a portion of the affected passwords had been stored in hashed and/or encrypted form, reducing the likelihood of immediate misuse if accessed by attackers. However, it did not disclose the encryption method used or clarify how many passwords, if any, were stored in plaintext.
Since identifying the breach, KDDI has informed the affected ISP operators and reported the incident to Japan's Personal Information Protection Commission as well as the Ministry of Internal Affairs and Communications.
The telecom operator is working closely with the impacted ISPs to strengthen security measures and reduce potential risks stemming from the incident.
Customers whose accounts may have been affected are advised to reset their email passwords immediately. KDDI also recommends enabling two-factor authentication (2FA), where available, to provide an additional layer of account security.
Romania's healthcare system faced one of its biggest cyber crises in February 2024 when a widespread ransomware attack targeted hospitals across the country, disrupting critical medical services and exposing the growing vulnerability of healthcare infrastructure to cybercriminals.
The attack began when hackers infiltrated the systems of Bucharest-based software company RSC, compromising its widely used hospital management platform, Hippocrates. As the malicious software rapidly spread to connected hospitals, officials at Romania's National Directorate for Cyber Security (DNSC) realized immediate action was necessary to prevent a nationwide catastrophe.
Faced with limited options, DNSC Director Dan Cimpean instructed more than 100 hospitals to disconnect from the internet immediately. The drastic measure successfully halted the spread of the ransomware but also left hospitals without internet access, email services, and connected medical systems.
Medical staff were forced to abandon digital records and return to manual processes, relying on handwritten documentation and paper-based workflows while cybersecurity experts investigated the breach and IT teams worked to restore operations.
The incident has since become an important case study for disaster response planners worldwide, demonstrating how healthcare systems can continue functioning during a major cyberattack.
Surgeon Oana Goidescu, who was working at Buzău Hospital when the attack unfolded, described the challenges medical staff faced.
"It was quite an unpleasant experience, because an IT record is not just a list of patients." She explained the extent of the disruption by adding: "For each patient, we request lab tests, radiology, medicines and supplies. All of that was gone."
The Hippocrates platform plays a central role in hospital operations, handling patient admissions, laboratory requests, pharmacy logistics, payroll, medical records, and diagnostic results. Once compromised, hospitals across Romania experienced widespread service failures.
The ransomware used in the attack, known as BackMyData, encrypted hospital files and demanded payment in Bitcoin to restore access.
The first warning signs appeared at Pitești Children's Hospital on the morning following the breach. By the next day, numerous hospitals reported that their Hippocrates systems had stopped functioning.
Cybersecurity specialists collaborated closely with the software provider to identify infected systems, isolate the malware, and begin recovery efforts.
Meanwhile, hospitals developed temporary offline systems to continue treating patients.
Vlad Paic from Carol Davila Hospital explained how his team adapted. When we saw the system would not be repaired quickly, we developed an offline method so we could register every patient. He added:"We asked the laboratory to give us results on paper. We used Excel and other offline tools to ensure care was not affected."
Romania's relatively recent transition to digital healthcare systems proved somewhat beneficial, as many staff members were still familiar with traditional paper-based procedures.
Investigators later confirmed that 26 hospitals had been directly infected with the BackMyData ransomware. Unaffected hospitals were gradually reconnected to the internet after additional cybersecurity protections were implemented.
Authorities also relied heavily on public communication throughout the crisis. Patients were advised to avoid hospitals unless absolutely necessary, helping reduce pressure on already strained facilities.
Despite these efforts, medical staff often faced frustration from worried patients.
Goidescu recalled: "We were asked, 'What if it were your mother?' They were right to be angry, but we tried to explain we were not at fault."
Romanian authorities also issued clear instructions that hospitals should neither negotiate with the attackers nor pay the ransom. The hackers had demanded €160,000 in Bitcoin, but the government refused payment and instead focused on restoring systems through secure backups.
Regular data backups proved invaluable, allowing most hospitals to recover their systems within five days. Although no deaths or serious patient harm were reported during the incident, healthcare workers spent weeks manually entering records created during the outage, while some information was permanently lost.
Investigators have not publicly identified those responsible for the attack. However, authorities previously dismantled a ransomware group linked to BackMyData in an international law enforcement operation that resulted in the arrest of four Russian nationals outside Russia.
Reflecting on the incident, Dan Cimpean warned that no country is immune from similar threats. "The more technology you have, the more digitised you are, the greater the risk."
The Romanian cyberattack reflects a broader global trend. In the United Kingdom, a cyberattack on an NHS blood-testing provider last year contributed to the first officially confirmed patient death linked to a cyber incident. In the United States, attacks on Change Healthcare and Ascension caused major disruptions, with Change Healthcare reportedly paying a $22 million ransom.
Cybersecurity experts say hospitals remain attractive targets because of their essential services.
Alina Bîzgă of cybersecurity company Bitdefender explained: "Hospitals handle critical services, and the criminals think that the more disruption that can be caused, the more likely they are to get paid a ransom."
The Romania incident highlights the urgent need for stronger cybersecurity measures, routine system backups, and well-prepared emergency response plans to safeguard healthcare services against increasingly sophisticated cyber threats.