SecureFact: Cyber Security News Highlights

Data Breaches

December 31 2024 to January 27 2025

1. Ransomware gang leaks data stolen in Rhode Island’s RIBridges Breach

The Brain Cipher ransomware gang has started leaking data stolen from Rhode Island’s RIBridges social services platform, which manages various assistance programs. Following the discovery of malicious code, RIBridges was shut down for remediation on December 13. Recent leaks from Brain Cipher include personal information of approximately 650,000 individuals, including names, addresses, dates of birth, Social Security numbers, and banking details. Rhode Island Governor McKee acknowledged the data’s release on the dark web and urged residents to take precautions to protect their personal information.

2. Rhysida Hits American Addiction Centers + Publishes 2.8TB of Data

The Rhysida ransomware group has claimed responsibility for a significant cyber-attack on American Addiction Centers (AAC), resulting in the theft of approximately 2.8TB of sensitive data. The breach, discovered on September 26, 2024, has led to notifications sent to 422,424 affected individuals, informing them that their personal information—including names, Social Security numbers, and health insurance details—was compromised. In response to the incident, AAC is offering 12 months of credit monitoring to those impacted. Rhysida has publicly listed AAC on its leak site, stating that most of the stolen data is now available online.

3. Ascension Health Notifying 5.6 Million of Data Breach

Ascension Health has reported a significant data breach affecting 5.6 million individuals, following a cyber-attack detected on May 8, 2024. The breach, which occurred on February 29, involved an employee inadvertently downloading a malicious file that compromised sensitive personal information, including names, insurance details, Social Security numbers, and payment information. In response to the breach, Ascension is notifying affected individuals and offering support services that include 24 months of credit monitoring, a $1,000,000 insurance reimbursement policy, and identity theft recovery services.

4. Chinese hackers targeted sanctions office in Treasury attack

Chinese state-backed hackers have successfully breached the Office of Foreign Assets Control (OFAC) within the U.S. Treasury Department, as disclosed in a recent letter to Congress. This incident, described as a “major cybersecurity incident,” involved the exploitation of the BeyondTrust remote support platform. The attackers specifically targeted OFAC to gather intelligence on potential sanctions against Chinese individuals and organizations. Additionally, the hackers also accessed the Treasury’s Office of Financial Research, although the full extent of the breach is still being evaluated, officials have advised the adoption of end-to-end encrypted messaging applications to enhance communication security. Furthermore, the U.S. government is considering banning China Telecom’s remaining operations in the country and has introduced legislation aimed at securing American telecom networks from similar cyber threats.

5. New York Hospital Says Ransomware Attack Data Breach Impacts 670,000

A ransomware attack on a New York hospital has resulted in a data breach affecting approximately 670,000 individuals. The incident involved unauthorized access to sensitive patient information, including names, addresses, dates of birth, Social Security numbers, and medical records. The hospital has initiated an investigation and is working with cybersecurity experts to assess the situation and mitigate the impact. Affected individuals are being notified and offered resources to help protect their personal information. The hospital emphasized its commitment to safeguarding patient data and is taking steps to enhance its security measures in response to the attack.

6. UK domain registry Nominet confirms breach via Ivanti zero-day

Nominet, the UK domain registry responsible for managing over 11 million domain names, has confirmed a network breach that occurred two weeks ago due to a zero-day vulnerability in Ivanti’s VPN software. The breach was linked to a critical vulnerability (CVE-2025-0282) that allowed attackers to exploit remote access systems. Despite the breach, Nominet stated there is currently no evidence of data leakage or backdoors in their systems. The company has reported the incident to relevant authorities, including the National Cyber Security Centre (NCSC), and has implemented restrictions on VPN access as a precaution.

7. Telefónica confirms internal ticketing system breach after data leak

Telefónica has confirmed a breach of its internal ticketing system after data was leaked on a hacking forum. The company, which operates under the name Movistar in Spain, reported that unauthorized access was gained to their Jira development and ticketing server using compromised employee credentials. The attackers, identified by aliases such as DNA, Grep, Pryx, and Rey, claimed to have extracted approximately 2.3 GB of documents and tickets, some of which involved customer-related issues. In response to the breach, Telefónica has taken steps to block unauthorized access and reset passwords for affected accounts.

8. STIIIZY data breach exposes cannabis buyers’ IDs and purchases

STIIIZY, a prominent California-based cannabis brand, has reported a data breach involving its point-of-sale (POS) vendor, which compromised sensitive customer information. The breach was first detected on November 20, 2024, following a notification from the vendor about unauthorized access by an organized cybercrime group. An investigation revealed that personal data was stolen between October 10 and November 10, 2024. The compromised information includes government-issued IDs such as driver’s licenses and medical cannabis cards, along with transaction histories. Specific details affected include names, addresses, dates of birth, driver’s license numbers, passport numbers, photographs, and signatures. The breach impacted customers who made purchases at select STIIIZY locations in San Francisco, Alameda, and Modesto. In response to the breach, STIIIZY has implemented enhanced security measures and is offering free credit monitoring to affected individuals.

9. Largest US addiction treatment provider notifies patients of data breach

BayMark Health Services, the largest provider of substance use disorder treatment in North America, has notified patients of a data breach that occurred between September 24 and October 14, 2024. The breach was discovered on October 11, 2024, when unauthorized access disrupted the company’s IT systems. An investigation revealed that attackers accessed files containing sensitive patient information, including Social Security numbers, driver’s license numbers, treatment details, and insurance information. In response to the breach, BayMark is offering one year of free identity monitoring services to affected individuals. The ransomware group RansomHub has claimed responsibility for the attack, stating they stole approximately 1.5 TB of data from BayMark’s systems. The company has implemented additional security measures to prevent future incidents and expressed its commitment to protecting patient information amid growing concerns over healthcare data security breaches

10. Medical billing firm Medusind discloses breach affecting 360,000 people

Medusind, a major medical billing provider, has disclosed a data breach affecting approximately 360,934 individuals, which occurred in December 2023. The Miami-based company detected suspicious activity on its network and subsequently took affected systems offline, engaging a cybersecurity firm for investigation. The breach exposed various types of sensitive information, including: Health insurance and billing details (e.g., policy numbers and claims information) Payment information (e.g., credit/debit card numbers) Health records (e.g., medical history and prescription information) Government IDs (e.g., Social Security numbers and driver’s licenses) Other personal data (e.g., names, addresses, and contact information) In response to the breach, Medusind is offering two years of free identity monitoring services to those affected, including credit monitoring and identity theft restoration support.

11. Thousands of credit cards stolen in Green Bay Packers store breach

The Green Bay Packers have reported a data breach affecting over 8,500 customers of their official Pro Shop online store, which occurred in September 2024. The breach was discovered on October 23, prompting the team to disable all checkout and payment functionalities immediately. A subsequent investigation revealed that cybercriminals injected malicious code into the checkout page to steal sensitive customer information. The compromised data included names, addresses, email addresses, credit card types and numbers, expiration dates, and CVVs. However, the attackers were unable to intercept transactions made using gift cards or third-party payment options like PayPal and Amazon Pay. The Packers have since removed the malicious code and implemented security measures with their website vendor. Affected individuals are being offered three years of identity theft restoration and credit monitoring services through Experian. The Packers advised customers to monitor their accounts for any fraudulent activity and report any identity theft attempts to their banks and authorities.

12. UN aviation agency confirms recruitment database security breach

The United Nations’ International Civil Aviation Organization (ICAO) has confirmed a data breach involving its recruitment database, resulting in the theft of approximately 42,000 records. This incident was first announced on January 8, 2025, following an investigation into a potential security breach. The breach was linked to a threat actor known as “Natohub,” who leaked an archive of documents on the BreachForums hacking forum. The stolen data reportedly includes names, dates of birth, addresses, phone numbers, email addresses, and employment history. However, ICAO clarified that no financial information, passwords, or sensitive personal documents were compromised. The agency emphasized that the breach is limited to recruitment data and does not impact aviation safety or security systems.

13. Otelier data breach exposes info, hotel reservations of millions

Otelier, a hotel management platform, experienced a significant data breach that exposed personal information and reservations for millions of guests associated with major hotel brands like Marriott, Hilton, and Hyatt. The breach reportedly began in July 2024 and continued until October, during which hackers accessed nearly eight terabytes of data from Otelier’s Amazon S3 cloud storage. The attackers gained access by initially compromising Otelier’s Atlassian server through stolen employee credentials obtained via malware. They downloaded extensive data, including nightly reports and accounting documents related to Marriott, which confirmed the breach’s impact but stated that none of its own systems were compromised. While the stolen data includes guests’ names, addresses, phone numbers, and email addresses, there is no evidence that sensitive information like passwords or billing details was taken.

14. Wolf Haldenstein law firm says 3.5 million impacted by data breach

Wolf Haldenstein Adler Freeman & Herz LLP has reported a significant data breach affecting approximately 3.5 million individuals. The breach, which occurred on December 13, 2023, was only disclosed publicly on January 12, 2025, due to complications in data analysis and digital forensics. The breach was detected when suspicious activity was noted in the firm’s network, leading to the discovery that unauthorized access had occurred. The exposed data includes sensitive information such as full names, Social Security numbers, employee identification numbers, medical diagnoses, and medical claim information. Although the firm has not found evidence of misuse of this data, the exposure heightens the risk of phishing and other targeted attacks. Wolf Haldenstein has struggled to notify affected individuals due to difficulties in locating their contact information.

15. Label giant Avery says website hacked to steal credit cards

Avery Products Corporation has reported a data breach following a cyberattack on its website, which occurred on December 9, 2024. The breach was linked to a card skimmer that had been implanted on their online shop, avery.com, as early as July 18, 2024. This malicious software allowed attackers to scrape sensitive payment information entered by customers during transactions. The compromised data includes customers’ names, billing and shipping addresses, email addresses, phone numbers, and payment card details (such as card numbers, CVV codes, and expiration dates). However, no Social Security numbers or government-issued IDs were involved. Despite this, the exposed information is sufficient for potential fraudulent transactions. Avery acknowledged receiving reports from customers about unauthorized charges and phishing attempts after the breach. Approximately 61,193 customers were affected by this incident. To assist those impacted, Avery is offering 12 months of free credit monitoring through Cyberscout and has set up a dedicated assistance line for inquiries related to the breach.

16. OneBlood confirms personal data stolen in July ransomware attack

OneBlood, a non-profit organization that supplies blood to over 250 hospitals in the U.S., has confirmed that a ransomware attack in July 2024 resulted in the theft of personal data from its donors. The attack, which began on July 14 and was discovered on July 28, forced OneBlood to revert to manual processes, causing significant delays in blood collection and distribution, ultimately leading to critical shortages. The organization notified the public about the breach on July 31, but it wasn’t until January 2025 that they began sending out data breach notifications to affected individuals. The investigation revealed that the stolen data primarily included names and Social Security numbers, raising concerns about potential identity theft and financial fraud. To assist those impacted, OneBlood is offering a free one-year credit monitoring service and recommends that individuals consider placing credit freezes or fraud alerts on their accounts. Although OneBlood fulfilled its commitment to inform affected individuals, the six-month delay in notification has left many at risk.

17. Telefonica Breach Exposes Jira Tickets, Customer Data

Telefónica has confirmed a data breach that exposed sensitive information from its Jira ticketing system, affecting customer data. The breach, which occurred in December 2024, allowed unauthorized access to internal tickets containing personal details of customers, including names, email addresses, and phone numbers. The attackers reportedly exploited vulnerabilities in the company’s systems to gain entry and extract data. Telefónica has stated that they are investigating the incident and have implemented measures to enhance security protocols to prevent future breaches. The company is also notifying affected customers and advising them to remain vigilant against potential phishing attempts or identity theft resulting from the exposure of their information. This incident highlights ongoing concerns regarding cybersecurity in large organizations and the importance of robust data protection measures.

18. PowerSchool hacker claims they stole data of 62 million students

The recent cyberattack on PowerSchool, a major provider of educational software, has led to the alleged theft of personal data from 62.4 million students and 9.5 million teachers. The breach was disclosed on January 7, 2025, after hackers accessed the company’s customer support portal using stolen credentials, allowing them to download sensitive information from various school districts’ databases. The hacker’s extortion demand indicated that data from 6,505 school districts across the U.S., Canada, and other countries was compromised. Notable affected districts include the Toronto District School Board, which had over 1.4 million students impacted, and the Dallas Independent School District, with approximately 787,000 students affected. PowerSchool has stated that while they cannot confirm exact numbers due to ongoing investigations, they believe that less than a quarter of the impacted students had their Social Security Numbers exposed. In response to the breach, PowerSchool will offer two years of complimentary identity protection and credit monitoring services to those affected and will notify relevant authorities and stakeholders.

19. UnitedHealth confirms 190 million Americans affected by Change Healthcare data breach

UnitedHealth Group has confirmed that a significant data breach at Change Healthcare has affected approximately 190 million Americans. The breach, which was disclosed on January 24, 2025, involved unauthorized access to sensitive personal information, including names, addresses, dates of birth, and Social Security numbers. The company stated that they are actively investigating the incident and have implemented measures to enhance security and prevent future breaches. UnitedHealth emphasized their commitment to protecting customer data and will provide updates as more information becomes available. This breach marks one of the largest healthcare-related data compromises in recent history, raising concerns about the security of personal health information across the industry.

20. Cloudflare CDN flaw leaks user location data, even through secure chat apps

A recently discovered flaw in Cloudflare’s content delivery network (CDN) poses a risk of exposing users’ general location data through secure messaging platforms like Signal and Discord. This vulnerability allows attackers to infer a user’s geographic region by sending them an image, which can trigger a deanonymization attack without user interaction, classifying it as a zero-click attack. The researcher, Daniel, found that by leveraging a bug in Cloudflare Workers, he could manipulate requests to route through specific data centers. This method enables the attacker to identify the nearest airport code based on the CDN’s response, providing location accuracy within 50 to 300 miles. The flaw is particularly concerning for privacy-sensitive individuals such as journalists and activists, while it could assist law enforcement in tracking suspects.

21. Account Credentials for Security Vendors Found on Dark Web

A recent report by Cyble reveals that account credentials from major cybersecurity vendors are being sold on dark web marketplaces, with prices starting as low as $10. The leaked credentials primarily belong to customers but also include alarming numbers from the vendors themselves, exposing sensitive internal accounts related to enterprise and security systems. The report highlights that the credentials were likely harvested through infostealer malware infecting customer devices. Cyble examined leaks from 14 cybersecurity vendors, including CrowdStrike, Palo Alto Networks, and McAfee, noting that all had both customer and internal credentials compromised this year. Notably, McAfee reported over 600 leaks, while CrowdStrike had more than 300. These leaks could potentially allow hackers to conduct reconnaissance on targeted organizations by revealing system information and vulnerabilities.

22. HPE Investigates After Alleged Data Breach

Hewlett Packard Enterprise (HPE) is currently investigating an alleged data breach that reportedly exposed sensitive customer information. The company has not confirmed the specifics of the breach or the extent of the data compromised. HPE stated that they are working diligently to assess the situation and are collaborating with cybersecurity experts to understand the incident better. The investigation follows claims made by a hacking group that they have obtained HPE data, which they are threatening to release unless a ransom is paid. HPE has reassured its customers that it takes such incidents seriously and is committed to maintaining data security and integrity. As of now, there are no indications of any operational disruptions within HPE’s services, and the company is focused on ensuring that any vulnerabilities are addressed promptly. Further updates will be provided as the investigation unfolds.