ShinyHunters Claims Breach of Council of Europe, Threatens to Leak 300GB of Stolen Data The cyber extortion group ShinyHunters has alleged a breach of the Council of Europe, claiming to have stolen nearly 300 gigabytes of sensitive data from the organization’s network. The Council of Europe, a 46-member intergovernmental body founded in 1949 and an official UN observer, focuses on human rights, democracy, and the rule of law. On June 9, ShinyHunters added the Council of Europe to its Tor-based leak site, asserting it exfiltrated over 429,000 files from multiple departments, including HR, the Secretariat, the Parliamentary Assembly, and the European Directorate for the Quality of Medicines & HealthCare. The stolen data reportedly includes: - Payroll records of over 10,000 employees (2011–2026) - 14,000+ CVs - Contract and purchase orders - Absence and illness reports - Bank account details, performance evaluations, and payroll exports - Personal data: names, IDs, addresses, phone numbers, dates of birth, tax and social security information, and medical records The group has set a June 16 deadline, threatening to release the data publicly if the Council of Europe does not engage in negotiations. As of now, the organization has not publicly acknowledged the breach. ShinyHunters has been active since mid-2025, with recent high-profile attacks targeting Salesforce customers (including Carnival, Canvas, and Grafana) and exploiting a zero-day vulnerability in Oracle PeopleSoft, which Google confirmed last week may have impacted 100 organizations. The group’s tactics align with double-extortion schemes, where stolen data is used as leverage for ransom demands.

Oracle Issues Emergency Alert for Critical PeopleSoft RCE Vulnerability (CVE-2026-35273) Oracle has released an urgent Security Alert addressing a critical remote code execution (RCE) vulnerability, CVE-2026-35273, in PeopleSoft Enterprise PeopleTools. With a CVSS score of 9.8, the flaw poses a severe risk to enterprise systems, enabling unauthenticated attackers to execute arbitrary code remotely over HTTP without requiring user interaction or privileges. The vulnerability resides in the Updates Environment Management component of PeopleSoft PeopleTools versions 8.61 and 8.62, though unsupported or earlier versions may also be affected. Discovered by researchers at TrendAI Zero Day Initiative (including Bobby Gould, Lucas Miller, and Minh Giang), the flaw has low attack complexity, increasing the likelihood of exploitation in the wild. Successful exploitation could lead to full system compromise, allowing attackers to access sensitive data, alter configurations, or disrupt services. Publicly exposed PeopleSoft instances are particularly vulnerable, potentially enabling lateral movement within corporate networks. Oracle has released patches and mitigation guidance, urging organizations to apply updates immediately, restrict external access to PeopleSoft environments, and monitor for suspicious activity. Systems running unsupported versions face heightened risk, as patches are only available for those under Premier or Extended Support. Given PeopleSoft’s role in managing HR, finance, and other critical operations, exploitation of this flaw could have significant operational and security consequences. Enterprises are advised to treat CVE-2026-35273 as a high-priority threat.

ShinyHunters Targets Oracle PeopleSoft in Large-Scale Data Theft Attacks The ShinyHunters extortion gang is actively targeting Oracle PeopleSoft servers in a widespread campaign, claiming to have stolen data from over 100 organizations. PeopleSoft, an enterprise software suite used for HR, finance, supply chain, and student administration, has been exploited across both cloud and on-premises instances. The threat actor confirmed to BleepingComputer that the attacks leverage a "gadget chain" of old and zero-day vulnerabilities, though success varies depending on system configurations. While Oracle has not publicly acknowledged the breaches, ShinyHunters stated their initial goal was to breach an FBI portal running PeopleSoft an attempt that ultimately failed. Most affected organizations are in the education sector, with Nottingham University already confirmed as a victim. The university’s data has been published on ShinyHunters’ leak site, and it has publicly acknowledged the incident. Cybersecurity researcher Michael R uncovered exposed directories linked to the attacks, revealing staging materials such as MeshCentral agents and credential-spraying scripts. Indicators of compromise (IOCs) include multiple IP addresses (e.g., `142.11.200[.]186`, `108.174.202[.]99`) and a TLS certificate tied to the domain `azurenetfiles[.]net`, previously associated with ShinyHunters. Analysis of exposed `.bash_history` files revealed a script that deploys a ransom note (`README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT`) on compromised PeopleSoft servers. The script scans for internal systems via `/etc/hosts` and attempts SSH access using common administrative accounts like psoft, oracle, and linuxadm, falling back to key-based authentication if passwords fail. Organizations running PeopleSoft are advised to review logs for connections from the identified IOCs to assess potential exposure.

Critical Oracle WebLogic Server Vulnerability (CVE-2024-21182) Actively Exploited The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-21182, a critical vulnerability in Oracle WebLogic Server, to its Known Exploited Vulnerabilities (KEV) catalog on June 1, 2026, following confirmed in-the-wild exploitation. The flaw affects Oracle WebLogic Server, a widely deployed enterprise Java application server used in both cloud and on-premise environments. The vulnerability is classified as an unauthenticated remote code execution (RCE) flaw, allowing attackers to exploit it without authentication via WebLogic’s T3 or IIOP protocols, which are commonly used for internal application communication. Successful exploitation could enable threat actors to bypass authentication controls, access sensitive data, or fully compromise affected systems, potentially leading to lateral movement, data exfiltration, or deployment of malicious payloads such as web shells or remote access trojans. While no specific threat actors or ransomware groups have been publicly attributed to these attacks, security researchers warn that the vulnerability could be rapidly adopted in financially motivated campaigns, given WebLogic’s history as a frequent target in ransomware intrusion chains. CISA has mandated federal agencies to remediate the vulnerability by June 4, 2026, under Binding Operational Directive 22-01. Organizations are advised to apply Oracle’s official patches immediately or implement mitigation measures, such as isolating affected systems, restricting access to T3/IIOP protocols, and enforcing network segmentation. Continuous monitoring for unusual traffic patterns or unauthorized access attempts is also recommended to detect early signs of compromise. The incident highlights the ongoing risks posed by unpatched enterprise middleware and the need for proactive vulnerability management to defend critical infrastructure.

Kodak Investigates Data Breach as ShinyHunters Claims Responsibility Eastman Kodak Company, the 144-year-old imaging and materials giant headquartered in Rochester, New York, has confirmed a security breach after unauthorized access to a portion of its data. A company spokesperson told BleepingComputer that the incident involved only a "limited amount" of data, though Kodak did not specify whether the attackers breached its internal network. Kodak has engaged external cybersecurity experts to investigate the scope of the breach and is collaborating with law enforcement. The company stated it has found no evidence of ongoing threats to its systems or operations but has not yet attributed the attack. The ShinyHunters extortion group has claimed responsibility, alleging the theft of over 2.2 million records containing customer personally identifiable information (PII) and internal corporate data. The group threatened to leak the data by June 18, 2026, unless Kodak engaged with them. Their dark web leak site listed the breach alongside other recent high-profile attacks. ShinyHunters has been linked to multiple large-scale breaches, including attacks on Salesforce customers (allegedly stealing 1.5 billion records) and Snowflake clients in the past year. Just last week, the group claimed responsibility for breaches at over 100 organizations, including the University of Nottingham, exploiting a zero-day flaw in Oracle’s PeopleSoft software. Kodak has not disclosed how the attackers gained access, and the investigation remains ongoing.

Massive Password Breaches in 2024–2025: What You Need to Know In 2025, cybersecurity researchers uncovered two of the largest credential leaks in history: a 16 billion-password compilation an aggregation of thousands of breaches over years and an 184 million-record database sourced from infostealer malware, containing active logins for platforms like Google, Apple, Microsoft, and Facebook. These incidents are part of an accelerating trend: password breaches are no longer isolated events but a persistent, industrial-scale threat. ### How Password Breaches Happen Attackers exploit vulnerabilities, misconfigured servers, or phishing attacks to steal credential databases from platforms. Once exfiltrated, the data is traded on dark web forums, packaged into "combo lists," and used in credential-stuffing attacks automated attempts to log into other accounts using the same stolen credentials. By the time a breach is publicly disclosed (often months later), the credentials may have already been circulating for weeks. ### Why Password Breaches Are Uniquely Dangerous Unlike general data breaches (which may expose names or payment details), password breaches give attackers direct access to accounts. Weak or reused passwords amplify the risk: a single leaked credential can compromise multiple accounts if reused. According to Verizon’s Data Breach Investigations Report, stolen credentials are the leading cause of hacking-related breaches, responsible for incidents like the Colonial Pipeline attack. ### Major Breaches in Recent Years - 2025: 16B-password compilation (multi-source aggregation); 184M-record infostealer dump. - 2024: Ticketmaster (560M records), Snowflake-linked breaches (AT&T, Santander), alleged Oracle Cloud compromise. - 2022: LastPass (encrypted vaults + unencrypted metadata stolen). - 2013–2016: Yahoo (3B accounts), Adobe (153M), LinkedIn (117M). ### How Platforms Detect Breached Passwords Google, Apple, Chrome, and Safari now include built-in breach monitoring: - Google Password Checkup: Cross-references saved credentials against a database of 4B+ compromised passwords. - Apple’s Password Monitor: Flags breached passwords in iCloud Keychain using privacy-preserving hashing. - Firefox Monitor/Have I Been Pwned (HIBP): Public tools to check email addresses against breach datasets. ### What to Do If Your Password Is Breached 1. Change the flagged password immediately and any other accounts using it. 2. Prioritize high-risk accounts (email, financial, healthcare). 3. Use a password manager (Bitwarden, 1Password, Keeper) to generate and store unique passwords. 4. Enable two-factor authentication (2FA) on critical accounts. ### Dark Web Monitoring: The Next Layer of Defense Standard tools (HIBP, Google Checkup) rely on publicly disclosed breaches, which can lag behind criminal activity. Dark web monitoring scans private forums, infostealer logs, and marketplaces to detect stolen credentials before they appear in public databases, narrowing the window for attackers to exploit them. The scale of credential exposure in 2024–2025 underscores a grim reality: most users have had passwords leaked at least once. The question is no longer if but how many times and whether proactive measures are in place to limit the damage.

Tulane University Data Breach Exposes Employee and Student Worker Information Tulane University has confirmed a data breach affecting multiple employees and student workers, exposing sensitive personal and financial information. The breach, disclosed in letters sent on April 2, revealed that names, Social Security numbers, and direct deposit banking details stored in Oracle’s E-Business Suite (EBS) were compromised. The university first detected the breach on March 12, after unauthorized access occurred on August 10, 2025, exploiting a vulnerability in Oracle EBS. The attack may be linked to a flaw first exploited on August 9, 2025, which cybersecurity firms Google Threat Intelligence and Mandiant attribute to the Cl0p ransomware group, a Russian-speaking extortion operation. On November 19, 2025, Cl0p publicly claimed responsibility for the attack and threatened to release the stolen files, according to dark web monitoring site DeXpose. Tulane had been using Oracle EBS until March 20, 2025, when it transitioned to Oracle Cloud. Following the breach, the university launched an investigation, notified law enforcement, and worked with Oracle and third-party cybersecurity vendors to address the vulnerability. This incident follows two prior Oracle breaches in 2025: a January breach exposing over 140,000 Oracle Cloud users and six million sensitive records, and an April breach where hackers stole client login credentials. Tulane has expressed regret over the incident and stated that corrective measures have been implemented to prevent future occurrences. The total number of affected individuals remains unclear.

Iranian Hacking Group Handala Claims Breach of Israel’s Power Grid Data The Iranian hacking collective Handala has announced a successful breach of Israel’s critical power infrastructure, claiming to have obtained confidential technical data, including control system diagrams and details on vulnerable network components. The group stated that the stolen information has already been shared with Iran’s missile units, which are reportedly on heightened alert amid escalating regional tensions. Handala emphasized that its operations are independent, with no direct involvement from third-party countries, though it provides informational support to the so-called "Axis of Resistance." The breach underscores growing cyber threats in the Middle East, particularly as geopolitical conflicts extend into digital warfare. The incident follows a series of Iranian cyber and missile strikes targeting Israeli and regional infrastructure, including recent attacks on Amazon’s cloud operations in Bahrain and an Oracle data center in Dubai. The disclosure raises concerns about potential physical disruptions to Israel’s energy sector, given the group’s claim of transferring data to military units.

Jones Day Hit by Phishing Attack, Client Data Accessed in Breach Claimed by Cybercriminal Group Global law firm Jones Day confirmed a phishing attack in which hackers accessed files belonging to 10 clients, a breach later claimed by the cybercriminal group Silent. The incident, disclosed on Monday, involved unauthorized access to a limited set of dated client documents, according to a statement from spokesperson Dave Petrou. All affected clients have since been notified, though their identities remain undisclosed. Silent, a known extortion-focused threat group, listed Jones Day as a victim on its dark web leak site, taking credit for the attack. The firm, which has previously faced cybersecurity incidents including a 2021 breach with undisclosed details represents high-profile clients such as Goldman Sachs, McDonald’s, and General Motors. No further information on the scope of the compromised data or the timeline of the attack has been released. The incident underscores the persistent targeting of legal firms by cybercriminals seeking sensitive corporate information.

Oracle Issues Urgent Alert for Critical RCE Flaw in Identity and Web Services Manager Oracle has released an urgent security alert for a critical Remote Code Execution (RCE) vulnerability, tracked as CVE-2026-21992, affecting Oracle Identity Manager and Oracle Web Services Manager. The flaw allows unauthenticated attackers to remotely compromise systems by sending specially crafted network packets, enabling arbitrary code execution on vulnerable servers. Exploitation of this vulnerability could grant threat actors deep system access, allowing them to deploy malware, steal sensitive corporate identity data, or move laterally within an enterprise network. The flaw is rated under CVSS 3.1, though Oracle has withheld technical exploit details to prevent immediate weaponization. The vulnerability impacts Oracle Fusion Middleware versions 12.2.1.4.0 and 14.1.2.1.0 for both affected products. Oracle has released patches under KB878741, but only for versions covered by Premier Support or Extended Support. Organizations running end-of-life software must upgrade to supported releases before applying fixes. Given the severity of the flaw and the risk of exploitation by advanced persistent threats, Oracle emphasizes the need for immediate patch deployment to secure identity management infrastructure. The vulnerability operates over standard network protocols, leaving even HTTPS-secured systems exposed until updates are applied.

Oracle E-Business Suite Hack Leaves Four Major Companies Silent on Impact A recent cyberattack targeting Oracle E-Business Suite (EBS) has disrupted organizations reliant on the platform for critical business operations, including finance, supply chain, HR, and procurement. While many companies have responded with public disclosures and mitigation efforts, Broadcom, Bechtel, Estée Lauder, and Abbott Technologies have yet to issue any statements, raising concerns about transparency and crisis management. The breach exposes vulnerabilities in a widely used enterprise software suite, threatening the integrity of sensitive corporate and customer data. Security researchers and incident response teams are assessing the full scope of the compromise, with affected organizations working to determine exposure and prevent follow-on attacks. In contrast to the silent four, other companies have taken proactive steps, including acknowledging the breach, implementing security measures, collaborating with cybersecurity firms, and notifying stakeholders. This approach is considered best practice in handling enterprise-wide software vulnerabilities. The continued silence from Broadcom, Bechtel, Estée Lauder, and Abbott Technologies leaves stakeholders uninformed about potential risks, data protection efforts, and the companies’ cybersecurity commitments. The lack of disclosure may also invite regulatory scrutiny, particularly for publicly traded firms, while risking long-term reputational damage. As cybersecurity incidents grow in frequency and severity, transparent communication is increasingly seen as a corporate obligation both for stakeholder trust and legal compliance. The absence of updates from these four companies underscores a critical gap in modern incident response policies.

Loblaw Faces Alleged Massive Data Breach as Threat Actor Demands Response A threat actor operating under the handle "igotafeeling" on the DarkWeb Informer forum has claimed to have breached Loblaw, Canada’s largest food and pharmacy retailer, which owns brands like President’s Choice, No Frills, Shoppers Drug Mart, Real Canadian Superstore, and the PC Optimum loyalty program. The actor alleges possession of over 1.8 billion records, including: - 75.1 million Salesforce customer records (names, emails, phone numbers, addresses, loyalty IDs, and health card numbers) - 724.9 million Shoppers Drug Mart records (passwords, tokens, loyalty IDs, payment details, and full credit card numbers with expiry dates) - 129.9 million pharmacy fill requests (prescription numbers and patient IDs) - 120.4 million e-commerce fraud-feed records (payment card BINs, last-four digits, and expiry dates) - 20.2 million Delivery Ops Portal records (orders, deliveries, and postal codes) - 3,014 GitLab projects containing Loblaw’s full source code - 19.3 million Oracle identity records (MFA device details and credentials) - 55.3 million marketing and email records across 673 tables The threat actor has given Loblaw until March 19 to respond, accusing the company of "ghosting" them and dismissing customer and investor concerns. They have also invited media organizations to verify the data’s authenticity. In response, Loblaw issued a March 12 press release, labeling the incident a "low-level data breach" and stating that only "basic customer information" (names, phone numbers, and emails) may have been accessed. The company explicitly denied evidence of financial or credit card data compromise directly contradicting the threat actor’s claims. While the breach remains unverified, the scale of the alleged exposure if confirmed would rank among the largest in Canadian history. The situation mirrors past high-profile breaches (e.g., T-Mobile, Equifax, Capital One), where initial corporate statements downplayed impact before later revelations proved otherwise. Loblaw customers with PC Optimum accounts, Shoppers Drug Mart loyalty cards, or prescription histories may be affected if the claims hold true. The deadline for Loblaw’s response is six days away.

DHS and ICE Contractor Data Breach Exposes Thousands of Entities A recent cybersecurity breach targeting the U.S. Department of Homeland Security’s (DHS) Office of Industry Partnership has exposed sensitive contract details involving over 6,600 organizations. The incident, first reported by the non-profit Distributed Denial of Secrets, was publicly disclosed by a hacking collective identifying itself as the Department of Peace. The leaked data includes comprehensive records of companies, government agencies, and universities that applied for or secured contracts with DHS and Immigration and Customs Enforcement (ICE). Among the affected entities are major firms such as Anduril, HBGary, L3Harris, Microsoft, Oracle, Palantir, and Raytheon, as well as federal agencies like the FBI and NASA. The compromised information spans: - Company names, URLs, and employee details (names, titles, contact information) - Business and personal addresses - Tax ID numbers, including Employer Identification Numbers (EINs) and potential Social Security Numbers (SSNs) - Government contractor identifiers (UEI numbers, CAGE codes) - Internal DHS staff comments on data updates - A secondary list detailing awarded contracts and their purposes, some of which were not publicly accessible via the DHS’s official portal The Department of Peace claimed the breach was motivated by opposition to DHS and ICE’s immigration enforcement policies, citing detentions, injuries, and deaths linked to their operations. The group stated its intent was to expose corporate and institutional ties to these agencies, though it acknowledged that some affected entities such as universities and public safety organizations were not the primary targets of its criticism. The full scope of the breach remains unclear, as the hackers described the data as "likely incomplete." The incident underscores ongoing risks to government contractor confidentiality and the potential for politically motivated cyberattacks to disrupt federal operations.

MSGE Data Breach Exposes Personal Information of Over 131,000 Individuals Madison Square Garden Entertainment (MSGE), the operator of high-profile sports and entertainment venues in New York City and Chicago, disclosed a cybersecurity incident on March 2, 2026, affecting the personal data of more than 131,000 individuals. The breach involved unauthorized access to MSGE’s network, potentially compromising sensitive personally identifiable information (PII), including names, addresses, and Social Security numbers. The law firm Lynch Carpenter, LLP, has launched an investigation into the incident, inviting affected individuals to review potential legal claims. The firm, known for its work in data privacy litigation, has represented millions of clients in similar cases over the past decade. MSGE has not yet released further details on the breach’s origin, timeline, or remediation efforts. The incident adds to a growing list of high-profile data exposures in the entertainment and hospitality sectors, raising concerns about the security of customer and employee records.

ShinyHunters Claims Breach of Wynn Resorts, Leaks 800K Employee Records The ransomware group ShinyHunters has allegedly breached Wynn Resorts, claiming to have stolen over 800,000 employee records and demanding 23.34 Bitcoin (≈$1.55 million) to delete the data. The group set a deadline of February 23, 2026, for payment, warning that failure to comply would result in the data being leaked on the dark web. A sample of the stolen data, analyzed by The Register, includes full names, emails, phone numbers, job positions, salaries, start dates, birth dates, and other personal details enough to facilitate phishing attacks, credential theft, and financial fraud. According to a group member, the breach occurred in September 2025 via an Oracle PeopleSoft vulnerability, exploiting compromised employee credentials. Wynn Resorts has not yet responded to the claims or media inquiries. ShinyHunters has been highly active in recent months, targeting organizations through vishing scams and exploiting identity management systems like Okta. This incident follows high-profile attacks on Caesars Entertainment and MGM Resorts in September 2023, reinforcing concerns over cybersecurity vulnerabilities in the hospitality and gaming sectors.

Hypertherm Discloses Data Breach Impacting U.S. Employees After Oracle EBS Exploit Hypertherm, an employee-owned manufacturer of industrial cutting systems based in Hanover, New Hampshire, has reported a data breach exposing personal information due to a vulnerability in Oracle’s E-Business Suite (EBS) software. The incident was discovered on February 10, 2026, after an unauthorized actor exploited an unknown flaw in Oracle EBS to steal database tables from the company’s systems in August 2025. The breach compromised names and Social Security numbers of affected individuals, though the total number of impacted U.S. residents remains undisclosed. Hypertherm began notifying victims via mail on March 13, 2026, filing reports with the Maine, New Hampshire, and Texas Attorneys General. To date, 334 Texas residents, 166 New Hampshire residents, and 31 Maine residents have been confirmed as affected. The ransomware group CL0P claimed responsibility for the attack, posting about the breach on the dark web’s Tor network on November 21, 2025, categorizing it as a ransomware incident. Hypertherm is offering one year of free identity monitoring through Kroll, including credit monitoring, fraud consultation, and identity theft restoration. Affected individuals can enroll using a membership number provided in their notification letters. The company has also set up a dedicated call center (844-403-4502) for inquiries. While Hypertherm has not released nationwide impact figures, the breach underscores the risks of unpatched software vulnerabilities in enterprise systems. The incident follows a pattern of CL0P’s exploitation of third-party software flaws to extract sensitive data.

University of Pennsylvania Data Breach Impact Far Smaller Than Initially Claimed A high-profile data breach at the University of Pennsylvania (Penn), initially alleged by anonymous hackers to have exposed records of 1.2 million students, donors, and alumni, was confirmed to have affected fewer than 10 individuals, according to a recent legal filing in a proposed class-action lawsuit. The breach, which occurred on October 31, targeted systems linked to development and alumni activities. Hackers sent a provocative email purporting to be from Penn to students and alumni, falsely claiming the university had "terrible security practices" and urging donors to "stop giving us money." Penn swiftly dismissed the hackers’ claims, stating it could not verify the scale of the breach and had engaged cybersecurity specialists to investigate. In a statement, the university confirmed that a "comprehensive review" of the compromised files concluded that only a limited number of individuals had their personal data exposed. Notifications were sent to those affected, as required by law. Penn also announced plans to implement mandatory cybersecurity training and strengthen defenses against future attacks. The incident sparked 18 proposed class-action lawsuits in the U.S. Eastern District Court, with plaintiffs alleging Penn failed to protect sensitive data, enabling cybercriminals to exploit it. However, in December, a federal judge consolidated the cases into a single lawsuit. Since then, eight plaintiffs have withdrawn, after learning that none of those who sued were among the impacted individuals, according to a Monday court filing. Attorneys for the remaining plaintiffs acknowledged that the small scope of the breach could weaken the case if pursued independently. They proposed merging the litigation with an ongoing lawsuit in Western Texas District Court related to a separate, larger breach involving Oracle E-Business Suite, which affected over 100 companies. Penn has not disclosed the number of individuals impacted in that incident. Disagreements among attorneys over the case’s leadership and jurisdiction remain unresolved. A judge is expected to decide which legal team will lead the litigation and whether the case will proceed in Philadelphia or Texas.

Oracle Discloses Critical Proxy Vulnerability in Fusion Middleware (CVE-2026-21962) Oracle has revealed a severe security flaw (CVE-2026-21962) in its Fusion Middleware suite, specifically affecting the Oracle HTTP Server and WebLogic Server Proxy Plug-in. The vulnerability, rated CVSS 10.0, enables unauthenticated remote attackers to exploit systems without user interaction, posing a major risk to enterprise environments. The flaw lies in how the WebLogic Server Proxy Plug-ins for Apache HTTP Server and Microsoft IIS process incoming requests. Due to its location in the proxy layer, attackers can bypass security controls entirely, gaining unauthorized access to sensitive data and the ability to create, delete, or modify system data. The vulnerability’s "Scope Change" (S:C) metric indicates that successful exploitation could extend beyond the plug-in, potentially compromising backend WebLogic Server environments. Affected Versions: - Oracle HTTP Server / Proxy Plug-in: 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0 - WebLogic Server Proxy Plug-in for IIS: 12.2.1.4.0 Oracle has released patches in its Critical Patch Update (CPU), with temporary mitigation recommending restricted network access to affected HTTP ports if immediate patching is not possible. The flaw’s low attack complexity and high impact make it a priority for organizations using these components.

Global Ransomware Attacks Surge 32% in 2025, With Manufacturing and U.S. Organizations Hit Hardest In 2025, global ransomware attacks reached 7,419 incidents, marking a 32% increase from the 5,631 recorded in 2024, according to a report by Comparitech. Of these, 1,173 attacks were confirmed by targeted organizations, while the remaining were claimed by ransomware groups via data leak sites. Collectively, the confirmed attacks breached 59.2 million records, though this figure is expected to rise as delayed reports emerge. ### Key Trends and Sector Impacts - Manufacturing saw the sharpest rise in attacks, surging 56% to 1,466 incidents, with average ransom demands more than doubling from $523,000 in 2024 to $1.2 million in 2025. - Legal firms experienced a 54% increase in attacks, alongside a 60% jump in ransom demands, averaging $610,000. - Healthcare and education saw stable attack volumes, with only 2% increases in incidents, suggesting a potential shift in attacker focus or improved defenses in these sectors. ### Geographic Breakdown The U.S. remained the most targeted country, accounting for 3,810 attacks (51% of the global total), a 33% increase from 2024. Other heavily affected nations included: - Canada: 392 attacks (31% increase) - Germany: 303 attacks (62% increase) - U.K.: 251 attacks (5% decrease) - France: 178 attacks (39% increase) - South Korea: 64 attacks (540% increase), driven largely by attacks on asset management firms following Qilin’s breach of a third-party provider. ### Ransomware Groups and Data Theft - Qilin was the most active group, responsible for 1,034 attacks (14% of the total), including 172 confirmed incidents. The group claimed to have stolen 31.2 petabytes of data, primarily from a single U.S. manufacturer. - Akira ranked second with 765 attacks, while SafePay was linked to the largest number of breached records (16.15 million), nearly all from its attack on Conduent. - DragonForce exposed 6.5 million records, mostly from its attack on the U.K.’s Co-operative Group, which resulted in £206 million ($276 million) in lost revenue. ### Notable Breaches in 2025 - Conduent (U.S.): 15.9 million records exposed in a SafePay attack, with 8.5 terabytes of data allegedly stolen. - Episource (U.S.): 5.4 million records compromised in an unidentified ransomware attack. - University of Phoenix (U.S.): 3.49 million records breached via a Clop attack exploiting an Oracle zero-day vulnerability. - DaVita (U.S.): 2.69 million records exposed in an Interlock attack, with 1.5 terabytes of data stolen. - Sanrio (Japan): 2 million records affected. - Asahi Group (Japan): 1.9 million records compromised. ### Sector-Specific Trends - Businesses bore the brunt of attacks (6,292 incidents, 35% increase), with 43 million records exposed in confirmed cases. Average ransom demands held steady at $1.09 million. - Government entities faced 374 attacks (27% increase), with 2.19 million records compromised. Ransom demands fell 15% to $1.55 million. - Healthcare saw 444 attacks (2% increase), with 10.1 million records exposed. Ransom demands plummeted 84% to $615,000. - Education recorded 252 attacks (2% increase), with 3.9 million records breached. Ransom demands dropped 34% to $457,200. The data underscores a strategic shift in ransomware targeting, with attackers prioritizing high-value commercial and public-sector entities while maintaining pressure on traditionally vulnerable sectors. Despite the surge in attacks, average ransom demands declined overall, dropping 26% to $1.04 million. However, select industries particularly manufacturing and legal services saw significant increases in both attack frequency and ransom demands.

Higher Education Under Siege: A Wave of Cyberattacks Exposes Systemic Vulnerabilities In the first half of 2025, a surge of cyberattacks has targeted major U.S. universities, exposing critical weaknesses in higher education’s cybersecurity defenses. The University of Pennsylvania, Harvard University, and Princeton University all reported breaches within the past two months, following earlier incidents at Columbia University, Dartmouth College, and New York University. Each institution confirmed the attacks stemmed from social engineering, with Harvard and Princeton specifically citing phone-based phishing as the entry point. Officials at the affected schools stated they acted swiftly to contain the breaches and are reinforcing security measures. However, experts warn that universities face an uphill battle. Mike Corn, a former chief information security officer in higher education and current consultant at Vantage Technology, noted that colleges operate like "small cities," with decentralized networks, personal devices, and diverse user behaviors creating countless vulnerabilities. Even robust investments in cybersecurity, he argued, cannot guarantee immunity from attacks—especially as AI-driven threats grow more sophisticated. The challenges extend beyond technology. Brian Nichols, CIO at the University of Kentucky, highlighted that while phishing simulations and training have improved awareness, they are not foolproof. Anita Nikolich, director of research and technology innovation at the University of Illinois at Urbana-Champaign, warned that punitive security measures can backfire, alienating faculty who may resist protocols perceived as restrictive. A core tension lies in academic freedom versus centralized IT control: many universities allow individual departments—such as medical or business schools—to maintain separate IT teams, increasing risk. Nikolich, who previously led IT infrastructure at the University of Chicago, described this fragmentation as a "huge risk factor," as decentralized systems complicate consistent security enforcement. Faculty resistance further complicates the issue. Janice Lanham, a nursing lecturer at Clemson University, nearly fell victim to a phishing scam but caught the deception in time. Yet, as Brian Voss, Clemson’s CIO, observed, some professors view security protocols as obstacles to research and teaching. Voss described a "culture of subservience" in higher-ed IT, where departments prioritize faculty demands over security, often retaining excessive data—including sensitive information like Social Security numbers—despite the risks. His efforts to reduce data storage have met resistance, with one university even retaining personal data for voter registration purposes, creating what he called "piles of gold for bad guys." The conflict between research needs and security is particularly acute. Nikolich, who also conducts quantum computing research, faced initial pushback when requesting network data for her work. After demonstrating the data’s non-sensitive nature and potential security benefits, she gained access—but noted that other universities default to blanket denials. When researchers are blocked, she warned, they often bypass official channels, increasing exposure. The solution, Nikolich suggested, lies in collaboration: IT, security teams, and faculty must treat cybersecurity as a shared priority, balancing innovation with protection. Until then, universities remain prime targets—caught between the demands of open academic environments and the escalating sophistication of cyber threats.

Michelin Confirms Data Breach in Cl0p’s Oracle EBS Cyberattack Campaign Tire manufacturer Michelin has confirmed a data breach linked to the ongoing cybercrime campaign targeting organizations using Oracle’s E-Business Suite (EBS). The Cl0p ransomware and extortion group, believed to be operated by the FIN11 threat actor cluster, exploited zero-day vulnerabilities in Oracle EBS to access sensitive data from over 100 organizations, including Michelin. Michelin acknowledged the incident, stating that while its systems were protected by robust security measures, attackers leveraged an Oracle EBS zero-day flaw to infiltrate its network. The company reported that only a "small, localized volume of data" was compromised, with no sensitive or technical IT information affected. No ransomware was deployed, and global operations remained unaffected. Despite Michelin’s assurance that the breach was contained, Cl0p published over 315GB of allegedly stolen files on its leak site. Metadata analysis suggests the data originated from an Oracle EBS environment. Michelin emphasized its swift response, confirming that corrective actions were taken and the vulnerability has since been patched. This attack follows similar breaches at Madison Square Garden, auto parts supplier LKQ, the University of Phoenix, and Korean Air, all tied to the same Oracle EBS campaign. The incidents highlight the growing threat posed by sophisticated extortion groups exploiting enterprise software vulnerabilities.

2025: A Year of Rising Costs—and Escalating Cyber Threats for UK Businesses As 2025 draws to a close, UK businesses and charities have faced a surge in financial pressures—from soaring employment costs and supply chain disruptions to oil and tariff shocks. Yet, one of the most damaging expenses has been the fallout from cyberattacks, which have hit nearly half of British companies and 30% of charities over the past year. High-profile victims include retail giants Marks & Spencer, Adidas, and the Co-op Group, as well as Heathrow Airport, Harrods, and Jaguar Land Rover (JLR). The public sector hasn’t been spared either: Germany’s parliament and the UK Foreign Office (breached in October) were among those targeted. Attacks ranged from phishing scams to full-scale digital shutdowns, with some incidents costing hundreds of millions. The scale of cybercrime has reached staggering proportions. Cybersecurity Ventures estimates the global cost of cyberattacks in 2025 at $10.5 trillion (£7.8 trillion)—a figure that would rank cybercrime as the world’s third-largest economy, trailing only the US and China. The financial and operational toll underscores the growing threat to organizations across sectors.

MSG Entertainment Investigates Data Breach Impacting Customer Personal Information New York-based Madison Square Garden Entertainment Corp. (MSG Entertainment) is under investigation following a data breach discovered on December 16, 2025, that exposed sensitive customer information. The incident stemmed from a vulnerability in the Oracle eBusiness Suite, hosted by a third-party vendor, which was exploited by hackers as early as August 2025. The breach potentially compromised names, addresses, and Social Security numbers of affected individuals. MSG Entertainment has since begun notifying impacted customers via mail. Edelson Lechtzin LLP, a national class action law firm, is leading an investigation into potential legal claims on behalf of those whose data was exposed. The firm specializes in data privacy litigation and is evaluating remedies for affected parties. MSG Entertainment operates high-profile venues, including Madison Square Garden, Radio City Music Hall, the Beacon Theatre, and the Chicago Theatre. The full scope of the breach and the number of individuals affected remain under review.

Cybercrime in 2025: A Global Threat Surpassing National Economies Cybercrime continues to escalate into one of the world’s most lucrative illicit industries, with damages projected to reach $10.5 trillion USD globally in 2025 a figure that, if measured as a country, would rank as the third-largest economy after the U.S. and China. This staggering growth, driven by increasingly sophisticated attacks, underscores the evolving threat landscape as cybercriminals target businesses, governments, and individuals with alarming efficiency. ### The Cybercrime Epidemic: Key Trends - Underreporting Persists: Despite improved reporting practices, less than 25% of global cybercrimes are reported to law enforcement, leaving vast swaths of criminal activity unaddressed. - Youth-Driven Threats: The FBI reports that cybercriminals are getting younger, with the average age of arrested offenders dropping a trend that complicates traditional law enforcement approaches. - Hotspots Identified: A 2024 World Cybercrime Index ranked Russia, Ukraine, China, the U.S., Nigeria, and Romania as the top sources of cybercrime, highlighting concentrated hubs of malicious activity. ### Ransomware: A Pervasive Threat Ransomware remains a dominant force, with attacks increasing 9% year-over-year in 2024. The most active groups Akira, LockBit, RansomHub, FOG, and PLAY targeted critical infrastructure, with 88% of small-to-midsized businesses (SMBs) and 39% of large enterprises experiencing breaches. The financial toll is staggering: - $20 billion USD in 2021 (up from $325 million in 2015). - Projected to exceed $265 billion by 2031, with attacks occurring every 2 seconds by 2031. High-profile incidents in 2024–2025 include: - UnitedHealth’s $1.6 billion loss after a ransomware attack disrupted U.S. healthcare payments. - CDK Global’s auto dealership shutdowns, forcing businesses offline for days after a ransom demand in the tens of millions. - MGM Resorts’ $100 million hit from a 2023 attack that crippled casino operations. ### Cryptocurrency Crime: A Booming Black Market Cryptocurrency-related crimes surged, with $28 billion in illicit funds flowing into exchanges over two years. Key developments: - Ripple co-founder Chris Larsen lost $112.5 million in a 2024 hack one of the largest individual crypto thefts. - Huione, a Cambodian marketplace, processed $70 billion in suspicious transactions since 2021, facilitating scams, fraud, and sanctioned activities. - North Korea’s Lazarus Group was linked to the $625 million Axie Infinity hack (2022), the largest crypto theft to date. ### Major Breaches and Supply-Chain Attacks 2024–2025 saw a wave of supply-chain and cloud-based attacks, exposing vulnerabilities in interconnected systems: - Snowflake Breach: Hackers exploited stolen credentials to access 560 million Ticketmaster records and Live Nation data, prompting a federal investigation. - Salesforce Exploits: The ShinyHunters gang breached dozens of companies, including Google, Allianz, and Toyota, by targeting cloud databases. - MOVEit Hack: The Clop ransomware group compromised 2,600+ organizations, including U.S. government agencies and global corporations. - Oracle Cloud Attack: Over 100 companies were affected by a campaign targeting Oracle’s business software, with damages still being tallied. ### Historic Cyberattacks: Lessons from the Past The report highlights landmark cyber incidents that reshaped security paradigms: - Equifax (2017): 147 million records exposed, including Social Security numbers, due to an unpatched vulnerability. - NotPetya (2017): A $10 billion attack originating in Ukraine, crippling Maersk, Merck, and global supply chains. - WannaCry (2017): Infected 200,000 systems across 150 countries, demanding Bitcoin ransoms. - Stuxnet (2010): A U.S.-Israeli cyberweapon that sabotaged Iran’s nuclear centrifuges. - Heartbleed (2014): A catastrophic OpenSSL flaw that exposed 500,000 servers to data theft. ### The Future of Cybersecurity While AI-driven defenses have reduced breach containment times to 241 days (the lowest in nine years), the same technologies are being weaponized by attackers. With 60% of global data now stored in the cloud and 6 billion internet users by 2025, the attack surface continues to expand. Small businesses remain particularly vulnerable 60% fold within six months of a cyberattack. As cybercrime evolves, the economic and operational risks demand heightened vigilance, though the battle against digital threats shows no signs of slowing.

Clop Ransomware Gang Steals Data of 3.5 Million from University of Phoenix The Clop ransomware gang has stolen the personal and financial data of nearly 3.5 million individuals—including current and former students, staff, and suppliers—after breaching the University of Phoenix (UoPX) network in August 2025. The attack was part of a broader extortion campaign exploiting a zero-day vulnerability (CVE-2025-61882) in Oracle E-Business Suite (EBS), a financial application used by the university. UoPX, a private for-profit institution based in Phoenix, Arizona, detected the breach on November 21 after Clop listed the university on its data leak site. The stolen data includes names, contact details, dates of birth, Social Security numbers, and bank account information. In early December, the university publicly disclosed the incident and filed an 8-K report with the U.S. Securities and Exchange Commission (SEC). On Monday, UoPX confirmed in notification letters filed with Maine’s Attorney General that 3,489,274 individuals were affected. The university is offering free identity protection services, including credit monitoring, dark web surveillance, and a $1 million fraud reimbursement policy. While UoPX has not officially attributed the attack, the tactics align with Clop’s recent campaign targeting Oracle EBS vulnerabilities. Other U.S. universities, including Harvard and the University of Pennsylvania, have also reported similar breaches linked to the same exploit. Clop has a history of high-profile data theft operations, previously targeting GoAnywhere MFT, Accellion FTA, MOVEit Transfer, Cleo, and Gladinet CentreStack. The U.S. Department of State has offered a $10 million reward for information connecting the gang’s activities to a foreign government. In a separate wave of attacks since late October, multiple universities—including Harvard, Princeton, and the University of Pennsylvania—have also fallen victim to voice phishing (vishing) attacks, compromising systems tied to development and alumni activities.

University of Phoenix Hit by Massive Data Breach Affecting Millions In November 2025, the University of Phoenix disclosed a significant data breach impacting over 3.4 million current and former students and staff. The breach, attributed to the CL0P ransomware group, exploited a vulnerability in the university’s Oracle E-Business Suite software between August 13 and August 22, 2025, leading to the exfiltration of sensitive personal data. Exposed information included names, dates of birth, Social Security numbers, and financial details such as bank account and routing numbers. The university reported the incident to the California and Maine Attorney Generals’ offices on December 21, 2025, and began notifying affected individuals the following day. Among those impacted were 9,131 Maine residents. The breach has prompted legal action, with Shamis & Gentile P.A., a class-action law firm specializing in data breach cases, investigating potential compensation for victims. The university has offered free IDX identity theft protection services to those affected. The University of Phoenix, a private for-profit institution based in Phoenix, Arizona, serves working adults through online degree programs in fields like business, healthcare, and information systems. The incident underscores the growing threat of ransomware attacks targeting educational institutions.

The NHS is investigating a cyberattack claimed by the extortion group Clop, which listed the NHS.uk domain on its leak site on November 11 without publishing any stolen data. The attack reportedly exploits a vulnerability in Oracle E-Business Suite (EBS), a system widely used across the NHS for managing sensitive patient data. While Clop did not specify which NHS branch was compromised, the potential exposure of patient records—given the NHS’s role as Europe’s largest employer and a critical healthcare provider—poses severe risks. The NHS, which refuses to pay ransoms, is collaborating with the National Cyber Security Centre (NCSC) to assess the breach. Historical attacks on the NHS have disrupted life-saving services, and this incident could similarly threaten patient safety if systems are compromised. The UK’s proposed ban on ransom payments for public sector organizations further complicates recovery efforts, leaving the NHS vulnerable to prolonged operational and reputational damage.

Barts Health NHS Trust has confirmed that the Russian-speaking Cl0p ransomware group stole files from one of its invoice databases after exploiting a vulnerability in Oracle E-Business Suite. The breach exposed data linked to payments for treatment and services, with some records going back several years. Hackread.com first reported on the Cl0p activity in November twenty twenty five, noting the group had leaked 241 GB of NHS data on its hidden site shortly after claiming responsibility for a wider campaign against healthcare targets. Cl0p Ransomware leaking NHS data (Image credit: Hackread.com) Now, according to Barts’ press release, the stolen material includes names and addresses of patients who were billed for care, records of former staff with unresolved salary issues and payment details for suppliers. Most supplier information is already public. Clinical systems and patient records were not affected. Files linked to accounting services provided to Barking Havering and Redbridge University Hospitals NHS Trust since April 2024 were also compromised. Barts advises patients to review any invoices they received to understand if their data was involved. The breach occurred in August but went undetected until November, when the files surfaced on the Cl0p ransomware‘s dark web leak site. Oracle has since patched the exploited flaw. Barts has reported the incident to NHS England, the National Cyber Security Centre, the Metropolitan Police and data regulators. It is also see

Wits University Hit by Zero-Day Cyberattack, Oracle Investigating Potential Data Breach Wits University in South Africa has confirmed a cyberattack targeting its IT systems, classified as a zero-day exploit a breach leveraging an unknown vulnerability with no available patch at the time of the incident. The attack, which has affected organizations across multiple countries, prompted the university to collaborate with Oracle and cybersecurity experts to assess whether any data was compromised. While the full scope of the breach remains under investigation, Wits University has reported that some IT systems were compromised, though operations continue as normal. The institution has formally notified South Africa’s Information Regulator, adhering to data protection protocols. The incident underscores the growing threat of zero-day vulnerabilities, which leave organizations exposed until patches are developed. Further details on the attack’s impact and affected data are expected as the investigation progresses.

Parexel Reports Data Breach Impacting Sensitive Employee Information Parexel, a global clinical research organization, disclosed a data breach affecting sensitive personal information stored in its Oracle OCI E-Business Suite (Oracle EBS) environment. On October 4, 2025, the company detected suspicious activity within the system, prompting an investigation. The breach, confirmed through forensic analysis, revealed that an unauthorized third party accessed employee-related data. Exposed information may include names, Social Security numbers, dates of birth, financial account numbers, payment card details (excluding CVVs), and national ID numbers, though the exact data varies by individual. On December 17, 2025, Parexel began notifying affected individuals via mail, detailing the compromised information and offering 24 months of complimentary credit monitoring services. The breach notice was filed with the Attorney General of Massachusetts, where impacted residents were among the first to be informed. The full scope of affected individuals and additional details remain under review.

A large-scale phishing campaign targeted Oracle Hospitality through malicious search engine advertisements (malvertising), impersonating its services to deceive users. Victims were redirected to typosquatted domains mimicking legitimate login pages, harvesting credentials, email addresses, phone numbers, and passwords. The attackers bypassed multi-factor authentication (MFA) by capturing real-time one-time passwords (OTP) via SMS or email codes, gaining unauthorized access to cloud-based property management systems.The breach exposed sensitive guest data, including personal information and payment details, stored in these platforms. Technical analysis revealed Russian-speaking threat actors behind the operation, using sophisticated beaconing techniques to track victims’ geolocation, session duration, and engagement. The campaign posed significant risks to Oracle Hospitality’s operational integrity, customer trust, and financial security, with potential downstream impacts on booking systems and guest privacy.Security researchers highlighted the need for phishing-resistant authentication (e.g., passkeys, FIDO2 WebAuthn) and adaptive risk assessments to mitigate future threats. The incident underscores the growing sophistication of industry-specific cyberattacks targeting hospitality providers.

Tulane University Data Breach Exposes Sensitive Personal Information On March 12, 2026, Tulane University disclosed a cybersecurity incident involving unauthorized access to sensitive files, first detected on August 10, 2025. The breach stemmed from a zero-day vulnerability in Oracle’s E-Business Suite, a platform used by the university to store HR data. Attackers exploited the flaw to access system files before Tulane implemented security patches and launched an investigation with law enforcement. The exposed data includes names, Social Security numbers, direct deposit details, and banking information, putting affected individuals at risk of identity theft and fraud. Those who received a breach notification from Tulane may be impacted. National class action firm Edelson Lechtzin LLP is investigating potential legal claims on behalf of affected individuals, offering free case evaluations to assess rights and remedies. The firm specializes in data privacy litigation and has previously handled cases involving financial fraud, wage theft, and consumer protection violations. Tulane University, a private institution in New Orleans, is known for its academic, research, and medical programs. The incident highlights ongoing risks associated with third-party software vulnerabilities in higher education.

Maritz Holdings Inc. Suffers Data Breach via Oracle E-Business Suite Vulnerability Maritz Holdings Inc., a Missouri-based management consulting firm with $1.4 billion in revenue and 4,250 employees, disclosed a data breach stemming from an exploited vulnerability in Oracle E-Business Suite (EBS). The incident occurred between August 10–13, 2025, before Oracle publicly acknowledged the flaw. The CL0P ransomware group claimed responsibility for the attack, posting details on the dark web. Maritz detected the breach on November 13, 2025, after launching an investigation with cybersecurity experts and notifying law enforcement. The probe confirmed that unauthorized access led to the exposure of sensitive data, including names, Social Security numbers, and financial account information. Affected individuals including current and former Maritz employees and clients were notified in writing on February 27, 2026. While the total number of impacted U.S. victims remains undisclosed, state-specific figures include four in Maine, 85 in Massachusetts, and three in New Hampshire. The breach highlights risks tied to third-party software vulnerabilities, particularly in widely used enterprise systems like Oracle EBS. Legal investigations are underway for potential compensation claims.

Cox Enterprises, a U.S.-based conglomerate with operations in telecommunications, media, and automotive services (e.g., Cox Communications, Autotrader), suffered a sophisticated data breach via a zero-day exploit (CVE-2025-61882) in Oracle’s E-Business Suite. Hackers, linked to the Cl0p ransomware group, infiltrated the network between August 9–14, 2025, exfiltrating 1.6TB of data—including sensitive personal information of 9,479 individuals (names, addresses, dates of birth, Social Security numbers, and internal documents). The breach was detected in late September 2025, with Cl0p leaking the data on the dark web. The attack exploited an unpatched critical vulnerability (CVSS 9.8) allowing unauthorized database access, heightening risks of identity theft, financial fraud, and reputational damage. Oracle released an emergency patch post-breach, but the delay enabled widespread exploitation across other high-profile targets (e.g., The Washington Post, Harvard University). Cox offered affected parties credit monitoring, though long-term risks persist. The incident underscores vulnerabilities in ERP systems, supply chain security gaps, and the escalating threat of ransomware-as-a-service (RaaS) campaigns targeting enterprise software.

SUNY Research Foundation Hit by Zero-Day Data Breach, Exposing Employee Personal Data The SUNY Research Foundation, based in Albany, New York, disclosed a data breach involving a zero-day vulnerability in Oracle’s eBusiness Suite. The attack occurred between August 9 and 11, with cybercriminals accessing personnel files containing sensitive employee information, including Social Security numbers. Oracle identified the flaw and released an urgent patch, but the breach went undetected until early October, when the company notified the foundation on October 10. Despite discovering the breach in October, the foundation only determined which files were accessed on November 26 nearly three months after the initial incident. Affected employees were notified last week, more than 60 days after the files were identified, exceeding New York’s 30-day notification requirement for data breaches. A foundation spokesperson acknowledged the delay, citing the complexity of forensic analysis needed to assess the scope of the breach. The foundation confirmed that no research data was compromised, and the attack was limited to personnel documents. The incident follows a pattern of similar breaches affecting thousands of organizations worldwide using the same Oracle software. The full extent of the exposure and potential misuse of the stolen data remains unclear.

In August 2025, hackers breached Salesloft’s SaaS platform by stealing OAuth access tokens linked to its Drift chatbot integration with Salesforce. The attackers exploited these tokens—functioning as trusted non-human identities—to impersonate the integration and gain unauthorized access to Salesforce CRM data across hundreds of organizations. Over a 10-day campaign, they exfiltrated sensitive records, including stored credentials like AWS keys and Snowflake tokens from support case attachments. The breach highlighted the risks of unmonitored machine identities with excessive privileges, enabling large-scale data theft without traditional human account compromises.

Anywhere Real Estate Hit by Clop Ransomware Attack, Exposing 17,429 Customers In August, Anywhere Real Estate disclosed a data breach affecting 17,429 customers, following an attack by the Clop ransomware gang. The cybercriminals infiltrated the company’s Oracle E-Business Suite environment, accessing and potentially exfiltrating sensitive customer data. A breach notification filed with the Maine Attorney General’s Office confirmed the incident, though details on the exact nature of the compromised information remain limited. Clop, a well-known ransomware and extortion group, has been linked to multiple high-profile attacks, often targeting vulnerabilities in enterprise software. The breach at Anywhere Real Estate parent company of brands like Coldwell Banker, Century 21, and Sotheby’s International Realty highlights the growing threat to real estate and mortgage sectors, where vast amounts of personal and financial data are stored. The company has since notified impacted individuals, but the full scope of the breach’s consequences including potential identity theft or fraud remains unclear. This incident follows a broader trend of cyberattacks on real estate firms, underscoring the industry’s vulnerability to sophisticated ransomware operations.

Hypertherm, Inc. Data Breach Exposes Sensitive Data in 2025 Oracle EBS Hack Hypertherm, Inc., a manufacturer of industrial cutting products for sectors including shipbuilding, automotive repair, and manufacturing, confirmed a data breach affecting its Oracle E-Business Suite (EBS) systems. The incident, discovered on February 12, 2026, stemmed from an unauthorized intrusion in August 2025, during which an attacker exfiltrated database tables containing sensitive information. Hypertherm launched an investigation with third-party cybersecurity experts and began notifying affected individuals on March 13, 2026. The breach has since drawn legal scrutiny, with Edelson Lechtzin LLP, a national class action law firm, announcing an investigation into potential claims on behalf of impacted parties. The firm is evaluating legal remedies for those whose personal data may have been compromised. Hypertherm’s Oracle EBS software is used to manage critical operations, suggesting the breach could have exposed corporate or customer data. Further details on the scope of the exposed information remain undisclosed. The incident highlights ongoing risks associated with enterprise software vulnerabilities and delayed breach detection.

The Clop ransomware gang exploited a zero-day vulnerability in Oracle’s E-Business Suite, a critical enterprise software used for managing customer data, HR files, and corporate operations. The attack, active since at least July 10, allowed hackers to steal significant amounts of sensitive data, including personal information of corporate executives and employees, as well as customer data from affected organizations. Oracle initially claimed the vulnerabilities were patched, but later confirmed the zero-day flaw enabled remote exploitation without authentication, meaning attackers could breach systems without credentials.Google’s security researchers revealed that dozens of organizations were compromised, with the Clop gang using the stolen data for extortion campaigns. The group has a history of mass-hacking via unpatched vulnerabilities in file transfer tools (e.g., MOVEit, GoAnywhere), amplifying risks of large-scale data leaks. Oracle’s delayed acknowledgment and the ongoing exploitation of the flaw suggest prolonged exposure, increasing potential damage to financial records, executive identities, and corporate intellectual property.

Jaguar Land Rover (JLR) suffered a severe cyberattack in September 2025, claimed by the cybercrime group Scattered Lapsus$ Hunters, which forced the shutdown of major production plants and disrupted operations for weeks. The attack resulted in £196 million ($220 million) in direct financial losses for Q2 (July–September 2025), with stolen data confirmed. The incident caused production halts, supply chain disruptions, and liquidity crises for suppliers, leading to a pre-tax loss of £485 million (vs. a £398m profit the prior year). The UK Government intervened with a £1.5 billion loan guarantee to stabilize operations, which restarted in a phased manner by October 8, 2025. The Bank of England cited the attack as a key factor in the UK’s weaker-than-expected Q3 2025 GDP, highlighting its broader economic impact. Despite stabilization, the attack severely damaged profitability, with EBIT margins dropping to -8.6% (from 5.1% YoY) and long-term financial strain evident.

Broadcom, a global technology leader valued at hundreds of billions, was among the high-profile victims of Cl0p’s ransomware attack exploiting a zero-day vulnerability in Oracle’s E-Business Suite (CVE-2025-61882 and CVE-2025-21884). The cybercriminal group exfiltrated sensitive corporate and customer data, threatening to leak or sell it unless a ransom was paid. The breach compromised critical systems, risking financial records, proprietary business data, and third-party customer information. Cl0p’s extortion tactics included warnings of public disclosure on their blog, torrent leaks, or sales to malicious actors, amplifying reputational and operational risks. Given Broadcom’s role in semiconductor and infrastructure technology, the attack posed supply chain cascading risks, potentially disrupting clients reliant on its products. Oracle issued emergency patches, but the damage—including data theft, potential regulatory fines, and erosion of stakeholder trust—had already occurred. The incident underscores vulnerabilities in enterprise software dependencies, with Broadcom facing long-term financial and strategic repercussions if the stolen data is weaponized.

Oracle issued an emergency security update to patch a critical information disclosure vulnerability (CVE-2025-61884, CVSS 7.5) in its E-Business Suite (EBS) Runtime UI component (versions 12.2.3–12.2.14). The flaw allows unauthenticated remote attackers to exploit it over a network without credentials, granting access to sensitive corporate resources, including financial, employee, or customer data. The vulnerability was part of a broader extortion campaign linked to the Cl0p ransomware group (FIN11), which exploited a separate zero-day (CVE-2025-61882, CVSS 9.8) to steal data and send extortion emails to executives. While Oracle did not confirm active exploitation of CVE-2025-61884, the urgent patch suggests high risk. Attackers leveraged hacked email accounts and default password resets to gain credentials, potentially exposing confidential business data, intellectual property, or operational secrets. The incident highlights risks of supply-chain attacks and data breaches in enterprise software, with possible financial fraud, reputational damage, or regulatory penalties if exploited.

Oracle released an emergency patch for CVE-2025-61882 (CVSS 9.8), a critical zero-day vulnerability in its E-Business Suite, actively exploited by the Cl0p ransomware group and potentially the Scattered LAPSUS$ Hunters. The flaw allows unauthenticated remote attackers to execute arbitrary code via HTTP, compromising the Oracle Concurrent Processing component. Cl0p leveraged this in a high-volume phishing campaign, stealing large volumes of sensitive data from multiple victims in August 2025. Indicators of compromise (IoCs) include malicious IP addresses (e.g., 200.107.207[.]26, 185.181.60[.]11), reverse shell payloads, and exploit scripts (e.g., oracle_ebs_nday_exploit_poc_...). Mandiant warned of mass exploitation, urging organizations to investigate potential breaches even after patching, as attackers may have already exfiltrated data. The incident highlights the risk of supply-chain attacks via unpatched enterprise software, with Cl0p’s campaign targeting financial, HR, and operational data—potentially disrupting business continuity and exposing customers/employees to fraud or regulatory penalties.

Oracle faced two data security incidents with reported poor incident communication. An attacker allegedly accessed login servers and legacy Cerner data, leading to customers' personal information being at risk. Missteps in Oracle's response include outright denial, potentially misleading statements, and accusations of deleting evidence online, compounding the damage to their reputation.

Oracle recently faced allegations of a data breach, with a threat actor claiming to have stolen 6 million records from Oracle Cloud's SSO login servers. Oracle has denied any breach, stating there was no compromise of their cloud services and customers' data remained secure. The threat actor, rose87168, attempted to sell the data and claimed the information includes SSO passwords, Java Keystore files, key files, and JPS keys from Oracle Cloud servers. Despite encrypted and hashed passwords requiring decryption or cracking, the impact of such a breach—if proven accurate—could potentially be significant, undermining trust in Oracle's cloud security and potentially impacting customers whose data was compromised.

Ransomware Evolves: Data Theft and Extortion Take Center Stage in 2025 Cyberattacks Cybercriminals are shifting tactics, moving away from traditional ransomware encryption toward data theft and extortion schemes that leverage the threat of public exposure. According to Palo Alto Networks’ 2026 Global Incident Response Report by Unit 42, incidents involving encryption dropped to 78% in 2025 a significant decline from over 90% in prior years. Attackers now prioritize stealing sensitive data customer records, financial details, intellectual property, and internal documents to pressure victims into paying ransoms, knowing that leaks can trigger severe financial, legal, and reputational damage. Several criminal groups have specialized in this approach. Bling Libra (ShinyHunters), known for compromising SaaS applications, and Hazy Scorpius (CLOP), which exploits vulnerabilities in enterprise platforms like Oracle EBS, exemplify this trend. These actors bypass encryption entirely, focusing on rapid data exfiltration as a more efficient extortion tool. Artificial intelligence is accelerating these attacks. Cybercriminals now automate reconnaissance, vulnerability scanning, and intrusion campaigns, reducing the time from initial access to data theft to as little as 72 minutes. This speed outpaces traditional defense mechanisms, forcing organizations to bolster early detection capabilities. Four key factors drive this shift: 1. Improved backups and recovery systems have diminished the impact of encryption-based ransomware. 2. Enhanced endpoint protection and automated threat disruption tools have made file hijacking less effective. 3. Regulatory pressures including fines, lawsuits, and reputational harm make data leaks a more potent threat. 4. Rapid data exfiltration allows attackers to bypass encryption while still inflicting maximum damage. The trend disproportionately affects professional services, healthcare, and consumer-facing businesses, with medium-sized companies accounting for 64% of incidents. While manufacturing remains a top target, the construction sector saw a 44% year-over-year increase in attacks, driven by the value of bid documents, contracts, and financial forecasts. The financial toll is steep: the average cost of data extortion incidents reached $5.08 million in 2025, with large-scale breaches exceeding $10 million. As a result, organizations are expanding security strategies beyond ransomware defenses, prioritizing SaaS access controls, phishing-resistant authentication, continuous leak monitoring, and faster incident response.

Oracle has patched a critical zero-day vulnerability (CVE-2025-61882) in its E-Business Suite, actively exploited by the Clop hacking group to steal personal information of corporate executives and extort victims. The flaw allows remote exploitation without credentials, enabling mass data theft from thousands of organizations using the suite for customer data and employee HR files. Initially, Oracle downplayed the threat, linking extortion emails to older patched vulnerabilities from July. However, the newly discovered zero-day confirms ongoing exploitation since at least August 2024, with Clop demanding ransom to prevent leaking stolen data. Google’s Mandiant reported widespread attacks, though not all victims have been contacted yet. The breach poses severe risks to executive privacy, corporate reputation, and operational security, with potential cascading effects on Oracle’s enterprise clients globally.

Oracle WebLogic Vulnerability Added to CISA KEV Catalog Amid Active Exploits A recently patched Oracle WebLogic vulnerability has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog, signaling active exploitation in the wild. The flaw, addressed in Oracle’s July 2024 Critical Patch Update (CPU), joins over a dozen other WebLogic vulnerabilities already listed in the KEV, underscoring persistent targeting of the platform. Security researchers, including Tyler Reguly of Fortra, note that while the patch has been available for months, delayed remediation remains a key risk. Organizations with outdated systems particularly those that haven’t applied patches in years are prime targets, as attackers prioritize easier entry points over hardened environments. The addition also highlights a broader trend: only 41% of CVEs in the KEV catalog are added in the same year they’re disclosed, with that figure rising to 58% by the following year. Surprisingly, over 40% of KEV-listed vulnerabilities are added two or more years after their release, suggesting that older flaws continue to be weaponized against unpatched systems. The delayed inclusion of this Oracle WebLogic bug aligns with this pattern, reinforcing the need for timely patch management.

A new extortion campaign targeted executives across multiple companies using Oracle E-Business Suite, with threat actors (potentially the Clop ransomware gang/FIN11) sending emails claiming theft of sensitive data. The campaign, active since at least September 29, 2025, leveraged hundreds of compromised email accounts, some linked to prior FIN11 activity. While the emails included contact details tied to Clop’s data leak site, Mandiant and Google Cloud have not yet confirmed actual data theft. The attack exploits potential vulnerabilities in Oracle’s platform, though no zero-day confirmation exists. Organizations were urged to investigate unusual access in their Oracle environments. Clop, known for ransomware deployment and data extortion, has historically exploited file transfer flaws (e.g., Cleo zero-days in 2024) to steal corporate data. The U.S. State Department offers a $10M reward for ties between Clop and foreign governments. The incident remains under investigation, with risks including financial extortion, reputational damage, and potential data leaks if claims are substantiated.

Hackers linked to the Russian ransomware gang Clop (FIN11) are exploiting vulnerabilities in Oracle E-Business Suite, a critical enterprise platform managing finance, HR, and supply chain data. The threat actors claim to have stolen sensitive corporate information and are conducting a high-volume extortion campaign, targeting executives across multiple organizations via compromised email accounts. While the exact scope of the breach remains unconfirmed, the group has historically leveraged stolen data for ransom demands rather than system disruption. Oracle previously disclosed a January 2024 incident where hackers accessed legacy systems and stole client credentials, raising concerns about credential reuse and exposure. The current campaign, launched on September 29, 2024, mirrors Clop’s past tactics—such as the MOVEit attacks—which impacted 2,773 organizations and exposed 96 million records. The group has demanded ransoms under the threat of leaking stolen data, using email addresses tied to Clop’s official leak site. Mandiant and Google Threat Intelligence Group (GTIG) are investigating but have not yet verified the full extent of the breach or the legitimacy of the stolen data claims.

The Clop ransomware gang (Graceful Spider) breached Oracle Corporation by exploiting a critical zero-day vulnerability (CVE-2025-61882) in Oracle E-Business Suite (EBS), an unauthenticated remote code execution (RCE) flaw with a CVSS score of 9.8. The attack bypassed authentication via the SyncServlet endpoint and injected malicious XSLT templates through RF.jsp, granting full control over enterprise systems. Oracle’s internal data and customer information were exposed, with Clop listing the company on its dark web leak site under a 'PAGE CREATED' status. The breach aligns with Clop’s broader campaign targeting high-profile victims (e.g., Mazda, Humana, Washington Post) via extortion emails threatening public data leaks unless ransoms are paid. The attack leveraged reused infrastructure from prior exploits (e.g., 2023 MOVEit vulnerability), with 96 distinct IPs tied to Russian-linked service providers. The incident underscores the severe risk posed by unpatched EBS instances, which manage critical functions like procurement, logistics, and financial records globally.

Storm-1175: China-Based Threat Actor Exploits Zero-Days and N-Days in High-Speed Ransomware Attacks A China-linked threat actor, tracked as Storm-1175, has been identified as the force behind a surge of high-velocity ransomware attacks, leveraging a mix of zero-day and N-day vulnerabilities to breach internet-facing systems. According to Microsoft Threat Intelligence, the group has demonstrated rapid operational tempo, targeting organizations in healthcare, education, professional services, and finance across Australia, the UK, and the U.S. Storm-1175 has exploited at least 16 vulnerabilities since 2023, including CVE-2025-10035 and CVE-2026-23760, which were weaponized as zero-days before public disclosure. The group has also chained multiple exploits (e.g., OWASSRF) for post-compromise activity, often gaining initial access through recently disclosed flaws before patches are widely deployed. Once inside a network, the financially motivated actor moves swiftly exfiltrating data and deploying Medusa ransomware within 24 hours in some cases. Persistence is established through new user accounts, web shells, or legitimate remote monitoring and management (RMM) tools, while security defenses are disrupted via credential theft, firewall manipulation, and antivirus exclusions. Recent attacks have expanded to Linux systems, including vulnerable Oracle WebLogic instances, though the exact exploited flaw remains unidentified. Storm-1175’s tactics include: - Living-off-the-land binaries (LOLBins) like PowerShell, PsExec, and Impacket for lateral movement. - PDQ Deployer for payload delivery, including Medusa ransomware. - Credential dumping via Mimikatz and Impacket. - Data exfiltration using Bandizip and Rclone. - Abuse of RMM tools (e.g., AnyDesk, Atera, ConnectWise ScreenConnect) to blend malicious traffic with legitimate encrypted communications. The group’s ability to rotate exploits quickly capitalizing on the window between disclosure and patch adoption highlights the growing threat of dual-use infrastructure in cyberattacks.

Oracle Corporation endured a data breach affecting its Gen 1 servers, with no complete PII exposure but involving 6 million data records including usernames, email addresses, and hashed passwords. Sensitive credentials related to SSO and LDAP were also compromised. The breach, attributed to the threat actor 'rose87168' via a 2020 Java exploit, resulted in the theft of JKS files and Enterprise Manager JPS keys from legacy systems approximately 16 months old. Oracle has informed clients and taken steps to bolster Gen 1 server security while maintaining that its Gen 2 servers and primary Oracle Cloud infrastructure remain secure.

The Clop ransomware gang (Graceful Spider) exploited a critical zero-day vulnerability (CVE-2025-61882) in Oracle E-Business Suite (EBS), an enterprise resource planning system used for order management, procurement, and logistics. The unauthenticated remote code execution (RCE) flaw allowed attackers to bypass authentication via the OA_HTML/SyncServlet endpoint and inject malicious XSLT templates through OA_HTML/RF.jsp, granting full control over sensitive ERP data. Oracle was listed on Clop’s dark web leak site, suggesting internal corporate data—potentially financial and employee records—was compromised. The attack leveraged reused infrastructure from prior campaigns (e.g., 2023 MOVEit exploits), with extortion emails sent to victims demanding ransom to prevent data leaks. Over 1,025 victims and $500M+ in extorted funds since 2019 highlight Clop’s persistence. The breach poses severe risks to Oracle’s supply chain integrity, operational continuity, and reputation, with potential cascading effects on clients like Mazda, Humana, and the Washington Post, also listed as victims.

A Russian cybercrime group breached 100 computer systems belonging to Oracle's retail division and MICROS point-of-sale credit card payment systems. It did not expose corporate networks and other cloud and service offerings that were not affected by the breach. Oracle urged Micros customers to change their passwords and any passwords used by Micros representatives to access their on-premise systems.

On July 10, 2013, Fidelity Investments experienced a data breach reported by the California Office of the Attorney General on July 31, 2013. An unauthorized individual gained access to a report containing sensitive personal information of Oracle Corporation employees, including names and Social Security numbers. The breach exposed confidential employee data, though the exact number of affected individuals remains undisclosed. The incident highlights a significant security lapse, as the compromised data could facilitate identity theft, financial fraud, or targeted phishing attacks against the affected employees. While the breach did not directly impact Fidelity’s customers, the exposure of third-party (Oracle) employee records underscores vulnerabilities in data handling and access controls. The breach’s discovery and reporting delay (21 days) may have further exacerbated risks, as affected individuals were left uninformed during this period. Such breaches erode trust in financial institutions’ ability to safeguard sensitive information, potentially leading to reputational damage and regulatory scrutiny. The nature of the stolen data—Social Security numbers—makes it particularly high-risk, as this information is immutable and highly valuable to cybercriminals for long-term exploitation.