CySecurity News - Latest Information Security and Hacking Incidents: Data Leak

Credit Union Customer Data Customer Data Exposed Cyber Attacks cybercriminals Data Leak data security Hacker attack Personal Data Phishing Scams

Blackpool Credit Union Cyberattack Exposes Customer Data in Cork

A Cork-based credit union has issued a warning to its customers after a recent cyberattack exposed sensitive personal information. Blackpool Credit Union confirmed that the breach occurred late last month and subsequently notified members through a formal letter. Investigators determined that hackers may have gained access to personal records, including names, contact information, residential addresses, dates of birth, and account details. While there is no evidence that any funds were stolen or PIN numbers compromised, concerns remain that the stolen data could be misused.

The investigation raised the possibility that cybercriminals may publish the stolen records on underground marketplaces such as the dark web. This type of exposure increases the risk of identity theft or secondary scams, particularly phishing attacks in which fraudsters impersonate trusted organizations to steal additional details from unsuspecting victims. Customers were urged to remain vigilant and to treat any unsolicited communication requesting personal or financial information with caution.

The Central Bank of Ireland has been briefed on the situation and is monitoring developments. It has advised any members with concerns to reach out directly to Blackpool Credit Union through its official phone line. Meanwhile, a spokesperson for the credit union assured the public that services remain operational and that members can continue to access assistance in person, by phone, or through email. The organization emphasized that safeguarding customer data remains a priority and expressed regret over the incident. Impacted individuals will be contacted directly for follow-up support.

The Irish League of Credit Unions reinforced the importance of caution, noting that legitimate credit unions will never ask members to verify accounts through text messages or unsolicited communications. Fraudsters often exploit publicly available details to appear convincing, setting up sophisticated websites and emails to lure individuals into disclosing confidential information. Customers were reminded to independently verify the authenticity of any suspicious outreach and to rely on official registers when dealing with financial services.

Experts warn that people who have already fallen victim to scams are more likely to be targeted again. Attackers often pressure individuals into making hasty decisions, using the sense of urgency to trick them into disclosing sensitive information or transferring money. Customers were encouraged to take their time before responding to unexpected requests and to trust their instincts if something feels unusual or out of place.

The Central Bank reiterated its awareness of the breach and confirmed that it is in direct communication with Blackpool Credit Union regarding the response measures. Members seeking clarification were again directed to the credit union’s official helpline for assistance.

GitHub Supply Chain Attack ‘GhostAction’ Exposes Over 3,000 Secrets Across Ecosystems



 

Malware Attack

Cyber Attacks Cyber Hackers Data Leak data security Data Transfer Database Security GitHub leaked sensitive data Malicious Files Malware Attack

GitHub Supply Chain Attack ‘GhostAction’ Exposes Over 3,000 Secrets Across Ecosystems

A newly uncovered supply chain attack on GitHub, named GhostAction, has compromised more than 3,300 secrets across multiple ecosystems, including PyPI, npm, DockerHub, GitHub, Cloudflare, and AWS. The campaign was first identified by GitGuardian researchers, who traced initial signs of suspicious activity in the FastUUID project on September 2, 2025. The attack relied on compromised maintainer accounts, which were used to commit malicious workflow files into repositories. These GitHub Actions workflows were configured to trigger automatically on push events or manual dispatch, enabling the attackers to extract sensitive information.

Once executed, the malicious workflow harvested secrets from GitHub Actions environments and transmitted them to an attacker-controlled server through a curl POST request. In FastUUID’s case, the attackers accessed the project’s PyPI token, although no malicious package versions were published before the compromise was detected and contained. Further investigation revealed that the attack extended well beyond a single project. Researchers found similar workflow injections across at least 817 repositories, all exfiltrating data to the same domain. To maximize impact, the attackers enumerated secret variables from existing legitimate workflows and embedded them into their own files, ensuring multiple types of secrets could be stolen.

GitGuardian publicly disclosed the findings on September 5, raising issues in 573 affected repositories and notifying security teams at GitHub, npm, and PyPI. By that time, about 100 repositories had already identified the unauthorized commits and reverted them. Soon after the disclosures, the exfiltration endpoint used by the attackers went offline, halting further data transfers.

The scope of the incident is significant, with researchers estimating that roughly 3,325 secrets were exposed. These included API tokens, access keys, and database credentials spanning several major platforms. At least nine npm packages and 15 PyPI projects remain directly affected, with the risk that compromised tokens could allow the release of malicious or trojanized versions if not revoked. GitGuardian noted that some companies had their entire SDK portfolios compromised, with repositories in Python, Rust, JavaScript, and Go impacted simultaneously.

While the attack bears some resemblance to the s1ngularity campaign reported in late August, GitGuardian stated that it does not see a direct connection between the two. Instead, GhostAction appears to represent a distinct, large-scale attempt to exploit open-source ecosystems through stolen maintainer credentials and poisoned automation workflows. The findings underscore the growing challenges in securing supply chains that depend heavily on public code repositories and automated build systems.

Massive database of 250 million data leaked online for public access



 

User Privacy

AI Cloud Cyber Security Data Data Leak data security Internet User Privacy

Massive database of 250 million data leaked online for public access

Around a quarter of a billion identity records were left publicly accessible, exposing people located in seven countries- Saudi Arabia, the United Arab Emirates, Canada, Mexico, South Africa, Egypt, and Turkey.

According to experts from Cybernews, three misconfigured servers, registered in the UAE and Brazil, hosting IP addresses, contained personal information such as “government-level” identity profiles. The leaked data included contact details, dates of birth, ID numbers, and home addresses.

Cybernews experts who found the leak said the databases seemed to have similarities with the naming conventions and structure, which hinted towards the same source. But they could not identify the actor who was responsible for running the servers.

“These databases were likely operated by a single party, due to the similar data structures, but there’s no attribution as to who controlled the data, or any hard links proving that these instances belonged to the same party,” they said.

The leak is particularly concerning for citizens in South Africa, Egypt, and Turkey, as the databases there contained full-spectrum data.

The leak would have exposed the database to multiple threats, such as phishing campaigns, scams, financial fraud, and abuses.

Currently, the database is not publicly accessible (a good sign).

This is not the first incident where a massive database holding citizen data (250 million) has been exposed online. Cybernews’ research revealed that the entire Brazilian population might have been impacted by the breach.

Earlier, a misconfigured Elasticsearch instance included the data with details such as sex, names, dates of birth, and Cadastro de Pessoas Físicas (CPF) numbers. This number is used to identify taxpayers in Brazil.

2 Doctors in Hong Kong Arrested for Leaking Patient Data



 

Privacy

Data Leak Doctor Healthcare Hong Kong Hospital Privacy

2 Doctors in Hong Kong Arrested for Leaking Patient Data

Two doctors at a Hong Kong public hospital were arrested on charges of accessing computers with dishonest or criminal intent, allegedly involved in a data leak. According to police superintendent Wong Yick-lung, a 57-year-old consultant and a 35-year-old associate consultant from Tseung Kwan O Hospital were arrested in Ho Man Tin and Fo Tan, respectively.

Officers seized computers and other records; the pair is in police custody. On Sunday, the hospital stated the alleged leak, but the exact details were not disclosed at that time. The hospital’s chief executive, Dr. Kenny Yuen Ka-ye, said that the data of a few patients had been given to a third party. An internal complaint a month ago prompted the investigation.

According to Dr Ka-ye, the hospital found at least one doctor who accessed the patient’s personal data without permission. The hospital believes the documents containing information about other patients might have also been exposed to the third party. Police said experts are working to find out more details concerning the number of patients impacted by the incident.

While the investigation is ongoing, the consultant Dr has given his resignation, while the associate consultant has been suspended. At the time of writing this story, the motivation behind the attack is not known. According to Yuen, every doctor has access to the clinical management system that has patient information, but the use is only permitted under a strict “need-to-know” for research purposes or as part of the medical team taking care of a patient.

The investigation revealed that the two doctors didn’t fit into either category, which was a violation. According to SCMP’s conversation with a source, the portal reported that the two doctors (both members of the surgery department) sent details of a female pancreatic cancer patient who died after a surgical operation.

The pair illegally accessed the info and sent it to the family, asking them to file a complaint against the doctor who did the operation. This was done to show the doctor’s alleged incompetence.

The hospital has sent the case to the Office of the Privacy Commissioner for Personal Data, and has also reported the incident to the police and the Medical Council.

CISOs fear material losses amid rising cyberattacks



 

Technology

AI Business ChatGPT Cloud Data Data Leak GenAI Technology

CISOs fear material losses amid rising cyberattacks

Chief information security officers (CISOs) are worried about the dangers of a cyberattack, and there is an anxiety due to the material losses of data that organizations have suffered in the past year.

According to a report by Proofpoint, the majority of CISOs fear a material cyberattack in the next 12 months. These concerns highlight the increasing risks and cultural shifts among CISOs.

Changing roles of CISOs

“76% of CISOs anticipate a material cyberattack in the next year, with human risk and GenAI-driven data loss topping their concerns,” Proofpoint said. In this situation, corporate stakeholders are trying to get a better understanding of the risks involved when it comes to tech and whether they are safe or not.

Experts believe that CISOs are being more open about these attacks, thanks to SEC disclosure rules, strict regulations, board expectations, and enquiries. The report surveyed 1,600 CISOs worldwide; all the organizations had more than 1000 employees.

Doing business is a concern

The study highlights a rising concern about doing business amid incidents of cyberattacks. Although the majority of CISOs are confident about their cybersecurity culture, six out of 10 CISOs said their organizations are not prepared for a cyberattack. The majority of the CISOs were found in favour of paying ransoms to avoid the leak of sensitive data.

AI: Saviour or danger?

AI has risen both as a top concern as well as a top priority for CISOs. Two-thirds of CISOs believe that enabling GenAI tools is a top priority over the next two years, despite the ongoing risks. In the US, however, 80% CISOs worry about possible data breaches through GenAI platforms.

With adoption rates rising, organizations have started to move from restriction to governance. “Most are responding with guardrails: 67% have implemented usage guidelines, and 68% are exploring AI-powered defenses, though enthusiasm has cooled from 87% last year. More than half (59%) restrict employee use of GenAI tools altogether,” Proofpoint said.

Fake Netflix Job Offers Target Facebook Credentials in Real-Time Scam



 

User Privacy

Credential Theft Cyber Fraud Data Leak Netflix Job Scam User Privacy

Fake Netflix Job Offers Target Facebook Credentials in Real-Time Scam

A sophisticated phishing campaign is targeting job seekers with fake Netflix job offers designed to steal Facebook login credentials. The scam specifically focuses on marketing and social media professionals who may have access to corporate Facebook business accounts.

Modus operandi

The attack begins with highly convincing, AI-generated emails that appear to come from Netflix's HR team, personally tailored to recipients' professional backgrounds. When job seekers click the "Schedule Interview" link, they're directed to a fraudulent career site that closely mimics Netflix's official page.

The fake site prompts users to create a "Career Profile" and offers options to log in with Facebook or email. However, regardless of the initial choice, victims are eventually directed to enter their Facebook credentials. This is where the scam becomes particularly dangerous.

Real-time credential theft

What makes this attack especially sophisticated is the use of websocket technology that allows scammers to intercept login details as they're being typed. As Malwarebytes researcher Pieter Arntz explains, "The phishers use a websocket method that allows them to intercept submissions live as they are entered. This allows them to try the credentials and if your password works, they can log into your real Facebook account within seconds".

The attackers can immediately test stolen credentials on Facebook's actual platform and may even request multi-factor authentication codes if needed. If passwords don't work, they simply display a "wrong password" message to maintain the illusion.

While personal Facebook accounts have value, the primary goal is accessing corporate social media accounts. Cybercriminals seek marketing managers and social media staff who control company Facebook Pages or business accounts. Once compromised, these accounts can be used to run malicious advertising campaigns at the company's expense, demand ransom payments, or leverage the organization's reputation for further scams.

Warning signs and protection

Security researchers have identified several suspicious email domains associated with this campaign, including addresses ending with @netflixworkplaceefficiencyhub.com, @netflixworkmotivation, and @netflixtalentnurture.com. The fake hiring site was identified as hiring.growwithusnetflix[.]com, though indicators suggest the operators cleared their tracks after the scam was exposed.

Job seekers should be cautious of unsolicited job offers, verify website addresses carefully, and remember that legitimate Netflix recruitment doesn't require Facebook login credentials. The campaign demonstrates how scammers exploit both job market anxiety and the appeal of working for prestigious companies to execute sophisticated credential theft operations.

Orange Belgium Hit by Cyberattack Affecting 850,000 Customers



 

User Privacy

Cyber Attacks Data Leak French Telecom Giant Orange Belgium User Privacy

Orange Belgium Hit by Cyberattack Affecting 850,000 Customers

Orange Belgium, a major telecommunications provider and subsidiary of French telecom giant Orange Group, confirmed in August 2025 a significant cyberattack on its IT systems that resulted in unauthorized access to the personal data of approximately 850,000 customers.

The attack was detected at the end of July, after which the company swiftly activated its incident response procedures, including blocking access to the affected system, strengthening its security measures, and notifying both the relevant authorities and impacted customers. An official complaint was filed with judicial authorities, and the investigation remains ongoing.

The data accessed by the attackers included surname, first name, telephone number, SIM card number, PUK (Personal Unlocking Key) code, and tariff plan. Importantly, Orange Belgium reassured customers that no critical data—such as passwords, email addresses, or bank and financial details—were compromised in this incident. This distinction is significant, as the absence of authentication and financial data reduces, but does not eliminate, risks for affected individuals.

Affected customers are being notified by email or text message, with advice to remain vigilant for suspicious communications, particularly phishing or impersonation attempts. The company recommends that customers exercise caution with any unexpected requests for sensitive information, as criminals may use the stolen data for social engineering attacks.

Some security experts have specifically warned about the risk of SIM swapping—whereby attackers hijack a phone number by convincing a mobile operator to transfer service to a new SIM card under their control—and advise customers to request new SIM cards and PUK codes as a precaution.

The incident is one of several cyberattacks targeting Orange and its subsidiaries in 2025, although there is no evidence to suggest that this breach is linked to previous attacks affecting Orange’s operations in other countries. Orange Belgium operates a network serving over three million customers in Belgium and Luxembourg, making this breach one of the most significant data security incidents in the region this year.

Criticism has emerged regarding Orange Belgium’s communication strategy, with some cybersecurity experts arguing that the company underplayed the potential risks—such as SIM swapping—and placed too much responsibility on customers to protect themselves after the breach. Despite these concerns, Orange Belgium’s response included immediate technical containment, regulatory notification, and customer outreach, aligning with standard incident response protocols for major telecom providers.

The breach highlights the persistent threat of cyberattacks against telecommunications companies, which remain attractive targets due to the vast amounts of customer data they manage. While the immediate risk of financial loss or account takeover is lower in this case due to the nature of the exposed data, the incident underscores the importance of robust cybersecurity measures and clear, transparent communication with affected users. Customers are encouraged to monitor their accounts, change passwords as a precaution, and report any suspicious activity to Orange Belgium and the authorities.

Connex Credit Union Confirms Data Breach Impacting 172,000 Customers



 

Personal Data Breach

Bank Data Leak Credit Union Customer Data Cyberattacks Data Breach Data Leak Data protection data security financial attack Personal Data Breach

Connex Credit Union Confirms Data Breach Impacting 172,000 Customers

Connex Credit Union, headquartered in North Haven, Connecticut, recently revealed that a data breach may have affected around 172,000 of its members. The compromised data includes names, account numbers, debit card information, Social Security numbers, and government identification used for account openings. The credit union emphasized that there is no indication that customer accounts or funds were accessed during the incident.

The breach was identified after Connex noticed unusual activity in its digital systems on June 3, prompting an internal investigation. The review indicated that certain files could have been accessed or copied without permission on June 2 and 3. By late July, the credit union had determined which members were potentially affected. To inform customers and prevent fraud, Connex posted a notice on its website warning that scammers might attempt to impersonate the credit union through calls or messages.

The advisory stressed that Connex would never request PINs, account numbers, or passwords over the phone. To support affected individuals, the credit union set up a toll-free call center and is offering a year of free credit monitoring and identity theft protection through TransUnion’s CyberScout service. Connex also reported the breach to federal authorities, including the National Credit Union Administration, and committed to cooperating fully with law enforcement to hold the attackers accountable.

This breach is part of a broader trend of cyberattacks on financial institutions. Earlier in 2025, Western Alliance Bank in Phoenix reported a cyber incident that potentially exposed 22,000 customers’ information due to vulnerabilities in third-party file transfer software, which remained undetected for over three months. Regulatory agencies have also been targeted; in April, attackers accessed emails from the Office of the Comptroller of the Currency containing sensitive financial information, prompting banks such as JPMorgan Chase and Bank of America to temporarily halt electronic data sharing. Other credit unions have faced similar incidents.

In 2024, TDECU in Lake Jackson, Texas, learned it had been affected by a MoveIt cybersecurity breach over a year after it occurred. One of the largest bank breaches in recent memory took place in July 2019, when Capital One was hacked by a former Amazon Web Services employee, compromising data of 106 million individuals. The company faced an $80 million penalty to the OCC and a $190 million class-action settlement, while the hacker was convicted in 2022 for wire fraud and unauthorized access.

As cyberattacks become more sophisticated, this incident underscores the importance of vigilance, strong cybersecurity practices, and proactive protection measures for customers and financial institutions alike.

Orange Belgium Data Breach Exposes 850K Users to SIM-Swapping Risks



 

Warlock Ransomware

Cyber Fraud Data Leak Orange Belgium SIM Swapping Warlock Ransomware

Orange Belgium Data Breach Exposes 850K Users to SIM-Swapping Risks

Orange Belgium has suffered a major data breach in which an attacker accessed the personal information of approximately 850,000 customers, with SIM card numbers and Personal Unblocking Key (PUK) codes among the most sensitive details exposed.

The breach, disclosed in a press release dated August 20, 2025, immediately raised concerns about the increased risk of SIM swapping—a fraud technique in which criminals gain control of a victim’s phone number by transferring it to a SIM card under their control. This enables them to intercept calls and messages, including those containing one-time passcodes for multi-factor authentication, potentially bypassing account security measures.

The compromised data included customer first and last names, phone numbers, SIM card numbers, PUK codes, and tariff plan details. The company stressed that no passwords, email addresses, or banking and financial information were accessed.

Upon detecting the intrusion in late July, Orange Belgium claims it promptly blocked access to the affected system, tightened security, and notified law enforcement. Affected customers are being contacted directly with advice to remain vigilant against suspicious communications.

Notably, the incident coincides with a separate cyberattack against Orange’s French operations, although the company has not confirmed any link between the two events. The French incident reportedly did not result in unauthorized access to customer or corporate data.

In response to the breach, Orange Belgium introduced additional verification steps to prevent fraudulent SIM swaps, such as requiring customers to answer extra security questions when requesting SIM replacements. The answers to these questions were not compromised in the attack, according to the company.

However, white hat hacker Inti De Ceukelaire criticized this approach, arguing that these measures are unlikely to fully prevent SIM swapping, especially if attackers attempt to port numbers to other providers. He also noted that Orange Belgium has not provided guidance or support for changing PUK or SIM numbers—information that is typically considered highly sensitive by other telecom providers.

De Ceukelaire further criticized Orange’s initial communications for minimizing the seriousness of the breach, particularly in labeling the exposed PUK and SIM card numbers as “not critical.” He argued that this classification downplays the real-world risk to affected customers and accused Orange of misleading communications and shifting responsibility to users.

The attack on Orange Belgium has been claimed by the Warlock ransomware group, which reportedly posted samples of the stolen data online and is offering the full dataset for sale. Warlock has been linked to a recent wave of attacks exploiting vulnerabilities in Microsoft SharePoint, specifically the ‘ToolShell’ exploit chain, which came to light in July 2025.

The same group has previously targeted UK telecoms provider Colt Technology Services, leveraging one of the SharePoint-related vulnerabilities. By contrast, the French Orange incident was attributed to a different group, Babuk2, suggesting the attacks are not connected.

The breach highlights ongoing vulnerabilities in telecom security—particularly the potential for SIM swapping to undermine multi-factor authentication—and underscores the importance of robust data protection and transparent incident communication. While Orange Belgium has taken some steps to mitigate the immediate risks, critics argue that more comprehensive safeguards and clearer customer guidance are needed to adequately protect users from sophisticated attacks.

Telegram Blocks Black Mirror Hacker Group and Data Leak Channels



 

protecting sensitive data

Cyber Security Data Leak Data protection data security Hacker group hacking groups protecting sensitive data

Telegram Blocks Black Mirror Hacker Group and Data Leak Channels

Telegram has stepped up its efforts to curb the spread of sensitive information by blocking several channels accused of leaking private data, with the high-profile Black Mirror hacker group being among the most prominent targets. The platform accused Black Mirror of engaging in activities such as “doxxing and extortion,” according to Novaya Europe. Known for publishing the private correspondence and documents of Russian government officials and influential businessmen, the group often attempted to monetize its activities by offering archives of stolen material to interested buyers. Telegram has gone further by deleting content associated with Black Mirror that had been shared by users in private conversations or added to their favourites, indicating a broad effort to erase the group’s digital footprint.

The move follows a statement from Telegram’s founder, Pavel Durov, who recently revealed that he had received hundreds of reports about scams, blackmail, and extortion schemes running on the platform. Based on this feedback, he confirmed that numerous channels would be banned for similar violations by the end of the week. According to Durov, Telegram had collected clear evidence that some administrators published damaging content only to later remove it in exchange for money. Others were accused of selling “protection blocks,” where victims were forced to pay to avoid further targeting. Such practices, he noted, amounted to clear violations of Telegram’s rules and could not be tolerated.

The crackdown comes at a time when Telegram is facing growing suspicion over its relationship with Russian authorities. Reports indicate that the platform deleted more than 373,000 posts and channels in April 2025 alone at the request of Roskomnadzor, Russia’s state censorship body. In late June, at least 10 channels dedicated to open-source investigations, all with “OSINT” in their names, were also blocked. These actions have sparked concerns among journalists, researchers, and independent outlets who rely on Telegram as a primary communication tool to reach Russian audiences, especially since traditional media channels have come under stricter state control following the invasion of Ukraine.

Adding to user frustration, disruptions have been reported across the service in recent days. Some users complained of difficulties making voice calls through Telegram, which coincided with reports that Russian mobile operators may block calls made via foreign-owned messaging platforms. Analysts suggest this could be part of a broader push by Russian security agencies to limit access to external communication services. For many independent voices in Russia, Telegram has remained one of the few accessible outlets to distribute information freely. With mounting restrictions and targeted bans on influential channels, the future of open dialogue on the platform now appears increasingly uncertain.

Native Phishing Emerges as a New Microsoft 365 Threat Vector



 

Varonis

Cyber Attacks Data Leak Microsoft 365 Native Phishing User Privacy Varonis

Native Phishing Emerges as a New Microsoft 365 Threat Vector

A recent cybersecurity threat report highlights a tactic known as "native phishing," where attackers exploit the trusted, built-in features of Microsoft 365 to launch attacks from within an organization. This method moves beyond traditional phishing emails with malicious attachments, instead leveraging the trust users have in their own company's systems.

The core of native phishing is its subtlety and legitimacy. After compromising a single user's Microsoft 365 account, an attacker can use integrated apps like OneNote and OneDrive to share malicious content. Since these notifications come from a legitimate internal account and the links point to the organization’s own OneDrive, they bypass both security systems and the suspicions of trained users.

Modus operandi

Attackers have found Microsoft OneNote to be a particularly effective tool. While OneNote doesn't support macros, it is not subject to Microsoft's "Protected View," which typically warns users about potentially unsafe files. Its flexible formatting allows attackers to create deceptive layouts and embed malicious links .

In a typical scenario, an attacker who has gained access to a user's credentials will create a OneNote file containing a malicious link within the user's personal OneDrive. They then use the built-in sharing feature to send a legitimate-looking Microsoft notification to hundreds of colleagues. The email, appearing to be from a trusted source, contains a secure link to the file hosted on the company's OneDrive, making it highly convincing.

Victims who click the link are directed to a fake login page, often a near-perfect replica of their company's actual authentication portal. These phishing sites are frequently built using free, AI-powered, no-code website builders like Flazio, ClickFunnels, and JotForm, which allow attackers to quickly create and host convincing fake pages with minimal effort. This technique has shown an unusually high success rate compared to other phishing campaigns.

Mitigation strategies

To combat native phishing, organizations are advised to take several proactive steps:

Enforce multi-factor authentication (MFA) and conditional access to reduce the risk of account takeovers.
Conduct regular phishing simulations to build employee awareness.
Establish clear channels for employees to report suspicious activity easily.
Review and tighten Microsoft 365 sharing settings to limit unnecessary exposure.
Set up alerts for unusual file-sharing behavior and monitor traffic to known no-code website builders.

Manpower Data Breach Hits 145,000 After RansomHub Ransomware Attack



 

Ransomwares

customer data compromise Cyber Attacks Data Breaches Data Leak data security RansomHub RansomHub ransomware ransomware attacks Ransomware group Ransomwares

Manpower Data Breach Hits 145,000 After RansomHub Ransomware Attack

Manpower, one of the world’s largest staffing and recruitment companies, has confirmed that nearly 145,000 individuals had their personal data compromised following a ransomware attack in late December 2024. The company, which operates as part of ManpowerGroup alongside Experis and Talent Solutions, employs more than 600,000 workers across 2,700 offices worldwide and reported $17.9 billion in revenues last year.

The breach came to light after the company investigated a systems outage at a Lansing, Michigan, franchise in January 2025. According to a filing with the Office of the Maine Attorney General, attackers gained unauthorized access to Manpower’s network between December 29, 2024, and January 12, 2025. In notification letters sent to affected individuals, Manpower revealed that certain files may have been accessed or stolen during this time. The company stated that the breach potentially exposed personal information, though the full scope of data compromised remains undisclosed.

On July 28, 2025, the staffing firm formally notified 144,189 individuals that their data may have been involved in the incident. Following the discovery, Manpower announced that it had implemented stronger IT security measures and is cooperating with the FBI to pursue those responsible. To mitigate the impact on victims, the company is also offering complimentary credit monitoring and identity theft protection services through Equifax.

The ransomware group RansomHub has claimed responsibility for the attack. In January, shortly after Manpower disclosed the incident, the group alleged that it had stolen 500GB of sensitive files from the company’s systems. According to RansomHub, the stolen trove included personal and corporate records such as passports, Social Security numbers, contact details, financial documents, HR analytics, and confidential contracts. The gang initially published details of the breach on its dark web site but later removed Manpower’s listing, raising speculation that a ransom may have been paid to prevent further data leaks.

RansomHub is a ransomware-as-a-service (RaaS) operation that emerged in early 2024, evolving from earlier groups known as Cyclops and Knight. Since then, it has been linked to numerous high-profile attacks against global organizations, including Halliburton, Kawasaki’s European operations, Christie’s auction house, Frontier Communications, Planned Parenthood, and the Bologna Football Club. The group was also behind the leak of data stolen in the massive Change Healthcare cyberattack, one of the largest breaches in the U.S. healthcare sector, impacting more than 190 million individuals.

Last year, the FBI reported that RansomHub affiliates had breached over 200 critical infrastructure organizations across the United States, further underlining the group’s reach and persistence. While ManpowerGroup has not confirmed the exact nature of the stolen data or whether negotiations occurred, a company spokesperson clarified that the incident was confined to an independently operated franchise in Lansing. The spokesperson emphasized that the franchise runs on a separate platform, meaning no ManpowerGroup corporate systems were compromised.

The breach highlights the growing risks ransomware attacks pose to global enterprises, particularly those handling large volumes of sensitive employee and client data. It also reflects how threat actors like RansomHub continue to exploit vulnerabilities in third-party and subsidiary operations, targeting organizations indirectly when direct access to corporate systems is more difficult.

Gemini Flaw Exposed Via Malicious Google Calendar Invites, Researchers Find



 

Vulnerabilities and Exploits

Data Leak Gemini Flaw Google Calendar User Privacy Vulnerabilities and Exploits

Gemini Flaw Exposed Via Malicious Google Calendar Invites, Researchers Find

Google recently fixed a critical vulnerability in its Gemini AI assistant, which is tightly integrated with Android, Google Workspace, Gmail, Calendar, and Google Home. The flaw allowed attackers to exploit Gemini via creatively crafted Google Calendar invites, using indirect prompt injection techniques hidden in event titles.

Once the malicious invite was sent, any user interaction with Gemini—such as asking for their daily calendar or emails—could trigger unintended actions, including the extraction of sensitive data, the control of smart home devices, tracking of user locations, launching of applications, or even joining Zoom video calls.

The vulnerability exploited Gemini’s wide-reaching permissions and its context window. The attack did not require acceptance of the calendar invite, as Gemini’s natural behavior is to pull all event details when queried. The hostile prompt, embedded in the event title, would be processed by Gemini as part of the conversation, bypassing its prompt filtering and other security mechanisms.

The researchers behind the attack, SafeBreach, demonstrated that just acting like a normal Gemini user could unknowingly expose confidential information or give attackers command over connected devices. In particular, attackers could stealthily place the malicious prompt in the sixth invite out of several, as Google Calendar only displays the five most recent events unless manually expanded, further complicating detection by users.

The case raises deep concerns about the inherent risks of AI assistants linked to rich context sources like email and calendars, where hostile prompts can easily evade standard model protections and inject instructions not visible to the user. This type of attack, called an indirect prompt injection, was previously flagged by Mozilla’s Marco Figueroa in other Gemini-related exploits. Such vulnerabilities pave the way for both data leaks and convincing phishing attacks.

Google responded proactively, patching the flaw before public exploitation, crediting the research team for responsible disclosure and collaboration. The incident has accelerated Google’s deployment of advanced defenses, including improved adversarial awareness and mitigations against hijack attempts.

Security experts stress that continued red-teaming, industry cooperation, and rethinking automation boundaries are now imperative as AI becomes more enmeshed in smart devices and agents with broad powers. Gemini’s incident stands as a wake-up call for the real-world risks of prompt injection and automation in next-generation AI assistants, emphasizing the need for robust, ongoing security measures.

Leaked Data Exposes Daily Lives of North Korean IT Workers in Remote Work Scams



 

Remote Workers

Data Breach Data Leak Data protection data security IT workers Job Scams North Korea North Korea Hackers Remote Workers

Leaked Data Exposes Daily Lives of North Korean IT Workers in Remote Work Scams

A recent data leak has shed rare light on the hidden world of North Korean IT workers who carry out remote work scams worldwide. The revelations not only expose the highly organized operations of these state-sponsored workers but also offer an unusual glimpse into their demanding work culture and limited personal lives.

According to the leak, North Korean IT operatives rely on a mix of fraudulent digital identities and sophisticated tools to infiltrate global companies. Using fake IDs, resumes, and accounts on platforms such as Google, GitHub, and Slack, they are able to secure remote jobs undetected. To conceal their location, they employ VPNs and remote access programs like AnyDesk, while AI-powered deepfakes and writing assistants assist in polishing resumes, generating fake profiles, and handling interviews or workplace communication in English.

The documents reveal an intense work environment. Workers are typically expected to log a minimum of 14 hours per day, with strict quotas to meet. Failure to achieve these targets often results in even longer working hours. Supervisors keep close watch, employing surveillance measures like screen recordings and tight control over personal communications to ensure productivity and compliance.

Despite the pressure, fragments of normalcy emerge in the leaked records. Spreadsheets point to organized social activities such as volleyball tournaments, while Slack messages show employees celebrating birthdays, exchanging jokes, and sharing memes. Some leaked recordings even caught workers playing multiplayer games like Counter-Strike, suggesting attempts to balance their grueling schedules with occasional leisure.

The stakes behind these scams are far from trivial. According to estimates from the United Nations and the U.S. government, North Korea’s IT worker schemes generate between $250 million and $600 million annually. This revenue plays a direct role in funding the country’s ballistic missile programs and other weapons of mass destruction, underscoring the geopolitical consequences of what might otherwise appear as simple cyber fraud.

The leaked data also highlights the global scale of the operation. Workers are not always confined to North Korea itself; many operate from China, Russia, and Southeast Asian nations to evade detection. Over time, the scheme has grown more sophisticated, with increasing reliance on AI and expanded targeting of companies across industries worldwide.

A critical component of these scams lies in the use of so-called “laptop farms” based in countries like the United States. Here, individuals—sometimes unaware of their role—receive corporate laptops and install remote access software. This setup enables North Korean operatives to use the hardware as if they were legitimate employees, further complicating efforts to trace the fraud back to Pyongyang.

Ultimately, the leak provides a rare inside view of North Korea’s state-directed cyber workforce. It underscores the regime’s ability to merge strict discipline, advanced digital deception, and even glimpses of ordinary life into a program that not only exploits global companies but also fuels one of the world’s most pressing security threats.

KLM Alerts Customers After Data Theft by Fraudsters



 

Privacy Threat

Data Breach Data Leak Data Theft KLM Alerts Privacy Threat

KLM Alerts Customers After Data Theft by Fraudsters

On Wednesday, Air France and KLM announced a breach of a customer service platform, compromising the personal data of an undisclosed number of customers. The breach highlights the increasing cybersecurity challenges faced by the aviation industry. Air France–KLM Group, the company founded in 2004, is a multinational airline holding company with a French–Dutch core. It is known as one of the largest airline holding companies in the world.

The two carriers, along with Transavia, operate under it. During the year 2024, the airline company could transport 98 million passengers worldwide through its fleet of 564 aircraft, a workforce of 78,000 employees, and a network that extended to 300 destinations in 90 countries. As a result of this incident, customers as well as the industry as a whole should be concerned.

There was a report of a breach at an airline group's external customer service platform which gave attackers access to sensitive information, including customer names, contact information, frequent flyer records, and recent transaction history, by accessing an external customer service platform. Although Air France and KLM emphasised that no internal systems or financial data had been compromised, they also confirmed that they were taking immediate steps to prevent any further unauthorised access to their systems.

Security analysts note that the incident appears to have echoes of the ShinyHunters cybercrime group, an organisation notorious for exploiting platforms like Salesforce through phishing and social engineering campaigns. Regulatory authorities in France and the Netherlands have been notified, and affected passengers have been notified directly.

There have been several breaches that have impacted major global brands over the year, including Google, Adidas, and many luxury fashion houses, and the group has previously been linked to many such breaches. There has been no confirmation by the airline group whether Salesforce was involved in this attack, but the techniques and the timing of the attack appear consistent with the group's activities.

Recently, such threats have risen to a large extent, including WestJet and Hawaiian Airlines, which experienced similar breaches in the past few months. These developments have led to the recommendation that customers remain vigilant against possible phishing attacks in light of the recent developments, while industry experts suggest that third-party platforms should be audited rigorously, access controls should be enhanced, and strong cybersecurity frameworks should be implemented in order to protect against future threats.

Interestingly, the breach bears striking similarities to one disclosed by the Australian carrier Qantas in July, which also involved the compromise of a third-party customer service platform. In that case, hackers were able to gain access to personal information, including the names, dates of birth, e-mail addresses, telephone numbers, and frequent flyer membership numbers of customers.

It has come to our attention that the attackers had also gotten residential and business addresses as well as hotel delivery addresses associated with lost baggage, and in a few cases, even the meal preferences of passengers, according to a subsequent investigation. According to Qantas, approximately six million people were affected by this attack.

There is a rise in fraudulent activity that has been targeting the airline's customers, urging passengers to be vigilant against communications from individuals impersonating the airline in the future. According to security sources, the breach is part of a larger wave of attacks attributed to ShinyHunters, a threat actor known for exploiting Salesforce environments through vishing and social engineering techniques, which has been linked to numerous attacks over the years.

The campaign has also hurt several high-profile organisations, including Adidas, Qantas, Allianz Life, Louis Vuitton, Dior, Tiffany & Co., Chanel, and most recently, Google, which has been among the organisations affected. An Air France–KLM spokesman declined to provide further details, citing the ongoing investigation, when asked whether the breach involved a compromised Salesforce instance or how many individuals were affected.

Several other aviation-related breaches have been linked to the Scattered Spider hacker collective, which has recently turned its attention to targeting airlines and transportation businesses, including this incident. In the past, the Scattered Spider group had attacked insurance companies and retail firms, but in recent months it has been compromising carriers such as WestJet and Hawaiian Airlines. In response to the incident, KLM informed the Dutch Data Protection Authority of the breach, whereas Air France informed the French Data Protection Authority of the breach.

There is a direct message being sent by both carriers to all of their customers about the compromise, and they are encouraging them to be vigilant against any emails or phone calls that could be influenced by the compromise. Air France–KLM Group, the parent company of the airlines, along with Transavia, operates as a multinational carrier established in 2004.

Air France–KLM employs approximately 78,000 people and transports millions of passengers every year, all across the globe. There has been no confirmation regarding who perpetrated the breach, however cybersecurity analysts have suggested that it may have been connected to a group called ShinyHunters that have previously infiltrated Salesforce environments to steal data from major brands like Chanel, Tiffany & Co., and Dior to steal their data.

A cybersecurity expert at Immersive, Ben McCarthy, commented on the possible link between the two systems by explaining that campaigns targeting SaaS platforms like Salesforce underscore how much threat actors value these systems, since a single breach could lead to the access of the data of multiple organisations. This incident is a stark reminder of the security risks inherent in the increasingly complex digital ecosystem, which airlines are increasingly relying on.

A growing number of carriers are using interconnected platforms and third-party services to enhance customer experiences, but they are also increasing the attack surface that is available to threat actors. It is well known that to protect such large networks, not just advanced technical safeguards are needed, but also continuous collaboration is needed between aviation companies, regulators, and cybersecurity experts.

A number of attacks have demonstrated both persistence and adaptability, so the industry faces a growing need to anticipate threats rather than merely reacting to them. Passengers have a crucial line of defence in the form of heightened awareness, as even the most sophisticated security systems can be compromised by a single successful phishing attack or a manipulated interaction with customers.

The latest breach in the ever-evolving landscape of cyber threats illustrates what is now becoming a growing reality, which is that trust and security are now equally as essential to the journey as the aircraft themselves, especially in the field of aviation.

Venice Film Festival Cyberattack Leaks Personal Data of Accredited Participants



 

Personal Data Breach

Data Breach Data Leak Data protection data security Data Theft Italy Personal Data Personal Data Breach

Venice Film Festival Cyberattack Leaks Personal Data of Accredited Participants

The Venice Film Festival has reportedly been hit by a cyberattack, resulting in the leak of sensitive personal data belonging to accredited attendees. According to The Hollywood Reporter, the breach exposed information including names, email addresses, contact numbers, and tax details of individuals registered for this year’s event. The affected group includes both festival participants and members of the press who had received official accreditation. News of the incident was communicated through an official notification.

The report states that unauthorized actors gained access to the festival’s servers on July 7. In response, the event’s IT team acted swiftly to contain the breach. Their immediate measures included isolating compromised systems, securing affected infrastructure, and notifying relevant authorities. Restoration work was launched promptly to minimize disruption. Those impacted by the incident have been advised to contact the festival at privacy@labiennale.org for more information and guidance.

Organizers assured that the breach would not affect payment processing, ticketing, or booking systems. This means that preparations for the upcoming 82nd edition of the Venice Film Festival will continue as scheduled, with the event set to run from August 27 to September 9, 2025, in Venice, Italy. As in previous years, the program will feature an eclectic mix of global cinema, spanning independent works, arthouse creations, and major Hollywood productions.

The 2025 lineup boasts notable names in international filmmaking. Hollywood will be represented by directors such as Luca Guadagnino, Guillermo del Toro, Yorgos Lanthimos, Kathryn Bigelow, Benny Safdie, and Noah Baumbach. Baumbach’s new film Jay Kelly features a star pairing of George Clooney and Adam Sandler, alongside a supporting cast that includes Laura Dern, Greta Gerwig, Riley Keough, Billy Crudup, Eve Hewson, Josh Hamilton, and Patrick Wilson.

Following last year’s Queer, Guadagnino returns with After The Hunt, a morally complex drama starring Ayo Edebiri, Julia Roberts, and Andrew Garfield, screening in the Out of Competition category. Benny Safdie will present The Smashing Machine, featuring Dwayne Johnson and Emily Blunt in a tense sports drama — his first solo directorial effort after his collaborations with brother Josh on acclaimed films like Uncut Gems and Good Time.

Festival director Alberto Barbera has hinted at a strong awards season presence for several films in the lineup. He cited The Smashing Machine, Kathryn Bigelow’s latest feature, and Guillermo del Toro’s adaptation of Frankenstein as potential Oscar contenders. Despite the cyberattack, the Venice Film Festival remains on track to deliver one of the year’s most anticipated cinematic showcases.

NZTA Breach Results in Vehicle Theft, User Data Compromise



 

User Privacy

Car Data Leak NZTA Technology Theft User Privacy

NZTA Breach Results in Vehicle Theft, User Data Compromise

Data compromise leads to targeted motor theft

A privacy breach has leaked the details of 1000 people (estimate) in a Transport firm's database over the past year. According to the agency, the breach targeted 13 vehicles for theft. The problem was in the agency’s Motocheck system, which let users access information stored on the Motor Vehicle Register.

User account compromise led to unauthorized access

According to the NZTA, it became aware of the attack in May 2025 when a customer complained, and also through the police as part of an investigation. NZTA found that illegal access happened from an ex-employee's account of Motocheck of Auckland Auto Collections LTD. The threat actor used the compromised account to access people’s personal information, such as names and addresses from the MVR.

"To date, we have determined that names and addresses of 951 people were accessed improperly over the 12 months to May 2025, and that at least 13 of these vehicles are suspected to have been targeted for theft," NZTA said in a statement.

NZTA assisting affected customers

The agency contacted affected customers to assist them in the breach and updated them on measures that were taken to address the incident, and also offered support and assistance for their concerns.

"We have sincerely apologised to those affected for the inconvenience and distress caused by the breach," it said. NZTA is also assisting police in their investigations of the incident and the vehicles that were targeted for theft. NZTA also informed the Office of the Privacy Commissioner. The agency’s systems aim to protect people’s privacy.

NZTA claims that "work is underway to improve the protection of personal information within our registers, with a priority to address risks of harm. This work will involve improvements across policy, contractual, operational, and digital aspects of register access.” A customer impacted by the incident was informed by the agency that their name and address were stolen last year.

NZTA said that they “have been unable to confirm the reason why your name and address were accessed. If you feel that your safety is at risk, we encourage you to contact NZ Police directly."

Ransomware Attacks Threaten CEOs to Get Results



 

Technology

AI Dark Web Data Leak Internet Ransomware Technology

Ransomware Attacks Threaten CEOs to Get Results

Ransomware gangs are getting desperate for results. Generally known for encrypting and leaking data on the internet, they have now started blackmailing CEOs with physical violence.

CEO's get physically threatened

Cybersecurity experts from Semperis say that over the past year, in 40% of ransomware attacks, the CEOs of the victim company were physically attacked, which is particularly prevalent in US-based organizations, at 46%.

However, even paying the attackers is not enough. The research revealed that over 55% of businesses that paid a ransom had to do so multiple times, with around 29% of those firms paying three or more times, and 15% didn’t even receive decryption keys, while in a few cases, they received corrupted keys.

New ransomware tactics

Blackmailing to file a regulatory complaint is also a famous tactic, Semperis said. It was found in 47% of attacks, increasing to 58% in the US.

In 2023, the notorious BlackCat ransomware gang reported one of its victims to the Securities and Exchange Commission (SEC) to make them pay. This was done because the SEC requires organizations to report about a cybersecurity incident if there is a breach, which includes the SEC's four-day disclosure rule for publicly traded businesses.

Ransomware on the rise

Ransomware attacks have threatened businesses and the cybersecurity industry for decades, constantly evolving and outsmarting security professionals. The attacks started with encryption, but the companies started mitigating by having offline backups of all the important data.

Ransomware actors then turned to stealing data and blackmailing to leak it on the web if the ransom was not paid. Known as “double extortion,” the technique works really well. Some threat actors even dropped the encryption part totally and now focus on stealing files. But many companies still don’t cave in, forcing cybercriminals to go to extreme lengths.

New tactics

In a few cases, the attackers combine the encryption of the back-end with a DDoS on the front-end, stopping the business entirely. Semperis CEO Mickey Bresman said that while some “circumstances might leave the company in a non-choice situation, we should acknowledge that it's a down payment on the next attack.”

"Every dollar handed to ransomware gangs fuels their criminal economy, incentivizing them to strike again. The only real way to break the ransomware scourge is to invest in resilience, creating an option to not pay ransom," he commented.

Dollar Tree Refutes Cyberattack Claim, Says Leaked Data Belongs to Another Company



 

Ransomware

Cyber Attacks Data Leak Dollar Tree Hacking Ransomware

Dollar Tree Refutes Cyberattack Claim, Says Leaked Data Belongs to Another Company

Discount retail chain Dollar Tree has denied being the target of a recent cyberattack, following claims by a ransomware group that it stole sensitive company files. According to Dollar Tree, the data allegedly leaked online does not belong to them but appears to be from a completely different company.

The hacking group, which calls itself “INC Ransom,” listed Dollar Tree on its dark web site, stating it had stolen over one terabyte of confidential information, including personal documents such as scanned passports. The group even shared a sample of the files and quoted an old Dollar Tree press release to suggest it had access to internal information.

However, Dollar Tree has firmly denied being hacked. Company officials say the data actually comes from 99 Cents Only, a separate discount chain that went out of business earlier this year.

What really happened?

99 Cents Only, once a popular budget retailer, filed for bankruptcy in April 2024. Rising costs, pandemic aftereffects, and increasing theft were cited among the reasons for its financial collapse. By mid-2024, all 371 of its stores were shut down and assets liquidated.

Dollar Tree later acquired rights to 170 of these store locations, along with their U.S. and Canadian web domains and some store equipment. But according to Dollar Tree, they never purchased the company's internal data, networks, or systems.

A Dollar Tree spokesperson clarified the situation:

"The files mentioned in these cyberattack claims appear to be linked to former employees of 99 Cents Only. Dollar Tree only acquired certain real estate leases and select assets not their data or technology infrastructure. Any suggestion that we were breached is simply not true."

Because 99 Cents Only is no longer operational, its customer support lines and emails are inactive, making it difficult to get an official response from the company itself.

Is Dollar Tree affected?

Dollar Tree says there’s no indication its own systems were accessed or compromised. The company remains one of the largest and most profitable players in the U.S. discount retail sector, reporting over $17 billion in sales last year.

While the ransomware group has not clarified the confusion, cybersecurity experts suggest the mix-up may stem from Dollar Tree’s acquisition of 99 Cents Only store leases, which may have led attackers or observers to wrongly associate the two companies.

This incident is a testament to how misleading information can spread quickly, especially when legacy data from bankrupt companies becomes part of a broader breach.

Dollar Tree is continuing to monitor the situation but insists there is no current threat to its systems or customer data.

Ridgefield Public Schools Faces 2-day Deadline After Hackers Threaten to Leak 90 GB of Stolen Data



 

SafePay ransomware

Data Breach Data Leak Ransomware attack Ridgefield Public Schools SafePay ransomware

Ridgefield Public Schools Faces 2-day Deadline After Hackers Threaten to Leak 90 GB of Stolen Data

Ridgefield Public Schools in Connecticut was hit by a ransomware attack on July 24, 2025, with the SafePay ransomware gang now threatening to release 90 GB of stolen data within two days if ransom demands aren't met.

The school district's cybersecurity tools detected attempts to deploy an encryption malware, prompting them to immediately take their computer network offline to investigate. While RPS confirmed that a ransom was demanded, they haven't revealed the amount or whether it was paid. The fact that SafePay has now published the school district on its leak site suggests negotiations have failed.

Impact on school operations

System restoration is ongoing, with RPS hoping teachers would regain email access this week. The district serves approximately 4,500 students across nine schools (six elementary, two middle schools, and one high school). They are investigating potential data breaches and offering advice on data protection in case sensitive personal information was stolen.

Broader education sector threats

This attack is part of a concerning trend - 26 confirmed ransomware attacks have hit the US education sector in 2025 so far, with 49 more unconfirmed. Recent victims include School District 5 of Lexington and Richland Counties (1.3 TB stolen), Franklin Pierce Schools ($400,000 ransom demand), and Manassas Park City Schools where Social Security numbers and financial data may have been compromised.

In 2024 alone, nearly 3 million records were breached across 83 attacks on US educational institutions, highlighting the severe ongoing impact on schools, colleges, and universities.

About SafePay ransomware group

SafePay first emerged in November 2024 and has since conducted 278 tracked attacks, with 35 confirmed by victims. The group uses LockBit-based ransomware and employs a double-extortion technique - demanding payment both to decrypt systems and delete stolen data. RPS is the sixth educational institution confirmed to have fallen victim to SafePay, following attacks on Harrison County Board of Education and a Czech school this year.

Search This Blog

Sections

Popular Posts

Blog Archive

Labels

About Me

Footer About

Labels

Showing result(s) for

Popular Posts

Pages

Menu Item

Changing roles of CISOs

Doing business is a concern

AI: Saviour or danger?

Data compromise leads to targeted motor theft

User account compromise led to unauthorized access

NZTA assisting affected customers

CEO's get physically threatened

New ransomware tactics

Ransomware on the rise

New tactics