Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7

West Pharmaceutical Services hit by ransomware - $3B injectable-packaging supplier disclosed data theft and encryption in SEC 8-K, global shipping and manufacturing disrupted

West Pharmaceutical Services - the Pennsylvania-based S&P 500 maker of injectable pharmaceutical packaging and drug delivery components, with annual revenues over $3 billion and 10,800 employees - filed an SEC 8-K disclosing a 'material cybersecurity attack.' The company detected the intrusion on May 4, 2026, and confirmed on May 7 that attackers had exfiltrated data and encrypted certain systems. West took infrastructure offline globally for containment, engaged Palo Alto Networks' Unit 42 for forensics, and partially restored core enterprise, shipping, and manufacturing systems by May 13. No ransomware group has publicly claimed the attack, and West says it has 'taken steps intended to mitigate the risk of dissemination of the exfiltrated data.'

Check
Check whether your organization is a downstream customer of West Pharmaceutical Services (injectable vials, syringes, stoppers, drug delivery components), audit purchase orders and delivery delays from May 4 onward, and review supplier-risk assessments.
Affected
Customers and supply-chain partners of West Pharmaceutical Services - primarily biopharma manufacturers and contract drug fillers that depend on West for injectable packaging and delivery systems. Scope of stolen data not yet disclosed.
Fix
Engage West directly for an authoritative status update on your specific product lines, activate alternate-supplier contingencies for time-critical injectables, and treat any new emails referencing West order numbers as untrusted until verified through known account contacts.

BWH Hotels (Best Western's parent) had attackers in its reservation system for over six months - guests' contact details and stay records exposed across Best Western, WorldHotels, and SureStay brands

BWH Hotels - the global hospitality group behind Best Western, WorldHotels, and Sure Hotels, with 4,000+ properties in over 100 countries and 53 million loyalty members - has disclosed that attackers were inside one of its guest reservation web applications for more than six months. The intrusion ran from October 14, 2025, to April 22, 2026, when BWH finally detected unauthorized activity. The hackers accessed names, email addresses, phone numbers, postal addresses, reservation numbers, stay dates, and any special requests for an undisclosed number of guests. Payment data sat with a third-party processor and was not affected. No threat actor has claimed the breach so far.

Check
Search corporate travel and expense systems for stays at BWH-branded properties between October 2025 and April 2026, and warn frequent business travelers to treat any unexpected reservation emails as suspect.
Affected
BWH Hotels guests with reservations in the affected web application between October 14, 2025, and April 22, 2026. Brands include Best Western, Best Western Hotels and Resorts, WorldHotels, SureStay, and Sure Hotels.
Fix
Treat any unexpected emails or texts referencing past BWH stays as untrusted, even if the details match. Visit the booking property's verified website directly instead of clicking links, and rotate any reused passwords.

Skoda Auto's German online shop breached via e-commerce software flaw - customer names, addresses, phones, and password hashes exposed; server logs cannot confirm full exfiltration

Skoda Auto, the Volkswagen Group's Czech-built carmaker with 34,000 employees and 27 billion euros in annual sales, disclosed that attackers exploited a flaw in its German online shop software to access customer data. The breach hit shop.skoda-auto.de, not Skoda's global systems or the Skoda Connect portal. Exposed information includes names, addresses, email addresses, phone numbers, order history, account data, and password hashes. Payment card details were not stored on the affected system. Skoda took the shop offline, patched the flaw, and engaged external forensics, but admitted its server logs cannot retrospectively confirm exactly what data was copied out during the intrusion window.

Check
Check the email account used for any past Skoda online shop orders, search your password manager for credentials reused across Skoda and other services, and watch for German-language phishing referencing real order numbers.
Affected
Customers who created an account or placed an order on shop.skoda-auto.de (Skoda Auto Germany's online store). The Skoda Connect Portal and Skoda's global systems are not affected per the company.
Fix
Change the Skoda online shop password and any other service using the same credentials, and enable MFA where available. Do not click links in emails or texts about Skoda orders; verify directly through the shop website.

Telehealth aggregator OpenLoop Health confirms 716,000 patient records stolen in a 24-hour intrusion in January - downstream consumer brands still unnamed

OpenLoop Health, an Iowa-based telehealth infrastructure company that supplies clinicians and prescription processing to dozens of consumer telehealth platforms, has confirmed via the HHS breach portal that a January 2026 incident affected 716,000 individuals. Attackers were inside its systems for only one day - January 7 to 8 - but exfiltrated names, addresses, email addresses, dates of birth, and medical information. Social Security numbers and electronic health records were not accessed. A threat actor called Stuckin2019 claimed responsibility and put samples on a hacking forum; OpenLoop reportedly paid them and the listing was taken down. Because OpenLoop is white-label, affected patients enrolled through many different consumer telehealth brands.

Check
Search HR and benefits records for employee enrollments in telehealth programs (weight loss, men's health, hormone therapy) that may run on OpenLoop's backend, and review supplier security questionnaires for any telehealth vendor.
Affected
Patients of any consumer telehealth platform that uses OpenLoop Health as its clinical infrastructure provider. 716,000 individuals confirmed via HHS OCR; threat actor Stuckin2019 claimed 1.6 million.
Fix
Affected individuals should enroll in the free IDX credit and identity monitoring OpenLoop is offering, and watch for medical-themed phishing for at least 12 months. Treat unexpected appointment reminders or prescription notices as suspect until verified.

Have I Been Pwned confirms two more ShinyHunters Salesforce extortion victims this week - financial-software firm Abrigo (711K) and insurer Canada Life (237K)

Troy Hunt's Have I Been Pwned added two new ShinyHunters victims this week. Abrigo - a Texas-based fintech that builds risk, compliance, and lending software for thousands of US banks and credit unions - had 711,099 unique email addresses and 1.75 million records lifted from its Salesforce environment in April after refusing to pay the ransom. The Canada Life Assurance Company, one of Canada's largest insurers, had 237,810 accounts confirmed in HIBP from a separate ShinyHunters Salesforce breach. Both fit the pattern of the months-long ShinyHunters mass-extortion campaign that already hit Zara, Woflow, and Instructure, with stolen data sitting in third-party Salesforce tenants rather than the victims' core systems.

Check
Check whether your company has a customer or vendor relationship with Abrigo or Canada Life, search your corporate email domains against Have I Been Pwned, and audit Salesforce Connected Apps and OAuth tokens granted to third-party integrations.
Affected
Customers, lenders, and partners of Abrigo (US community banks, credit unions, lenders) and Canada Life (Canadian insurance, savings, and retirement clients). Any organization with broad Salesforce access for third-party connected apps.
Fix
Rotate Salesforce passwords and API tokens where compromise is suspected, revoke unused Connected Apps in Salesforce setup, enforce MFA on every Salesforce user, and warn affected staff to expect impersonation phishing using the leaked PII.

Foxconn confirms cyberattack on North American factories - Nitrogen ransomware crew claims 8 TB stolen including Apple, Intel, Google, Dell, and Nvidia project files

Foxconn confirmed Tuesday that a cyberattack hit several North American factories, with its Wisconsin Mount Pleasant facility halting production for a week starting May 1. Workers were told to power off computers and revert to paper timesheets. Nitrogen ransomware group claimed responsibility, posting 8 TB of stolen data covering 11 million files - allegedly including project documentation tied to Apple, Intel, Google, Dell, AMD, and Nvidia. Foxconn says production is resuming. This is the fourth ransomware attack on a Foxconn entity since 2020.

Check
If your organization is a Foxconn customer sharing technical documentation, audit which projects had files staged at the Mount Pleasant facility between January and May.
Affected
Foxconn customers with data at the Wisconsin facility - Apple, Intel, Google, Dell, AMD, Nvidia, Cisco, Microsoft. Acute: organizations whose chip architecture or data center topology documents were shared for server or AI infrastructure production.
Fix
Contact Foxconn directly to confirm what was exfiltrated. Treat any technical documentation shared with Mount Pleasant since 2024 as potentially exposed. Rotate credentials, API keys, or signing certificates Foxconn held.

Instructure paid ShinyHunters' ransom to stop the 3.65TB Canvas data leak, and the US Congress launched an inquiry the same day

Update on the Canvas breach covered May 4, 8, and 12: Instructure paid an undisclosed ransom to ShinyHunters on Tuesday to stop publication of the 3.65 TB dataset covering 8,809 educational organizations and 275 million students and staff. Hours later, the US House Education Committee launched a formal inquiry requesting testimony from Instructure leadership about the breach and the decision to pay. This is the largest known education-sector ransom payment. The FBI's 'don't pay' guidance now collides with Congressional scrutiny of the payment decision.

Check
Contact Instructure for written confirmation your school's data is off the leak schedule. Check Canvas API logs for bulk exports between February and April.
Affected
8,809 schools, universities, and training organizations on Canvas. K-12 districts face state student-privacy obligations (NY 2-d, SOPIPA, ~130 statutes) independent of payment. Universities face FERPA obligations.
Fix
Issue COPPA and FERPA notifications per state timelines regardless of ransom payment - the data was already exposed before the deal. Rotate Canvas API keys and re-authorize integrations.

Identity governance vendor SailPoint discloses GitHub repository breach - third-party app flaw to blame

SailPoint, the identity governance vendor used by many large enterprises, disclosed in a SEC 8-K filing that attackers gained unauthorized access to a subset of its GitHub repositories on April 20. The company's incident response team contained the intrusion the same day. SailPoint says no customer data in production or staging was accessed and its services were not interrupted. The root cause was a vulnerability in a third-party application, which has been remediated. SailPoint notified affected customers directly and says no further customer action is needed. The company has not disclosed what data was actually in the impacted repos.

Check
If you use SailPoint (IdentityNow, IdentityIQ, or related products), check whether you received a direct notification dated after April 20, 2026, and review the scope details in your account portal.
Affected
SailPoint customers who received a direct breach notification dated on or after April 20, 2026. The company has not publicly disclosed which products, repositories, or customer subsets were specifically named in the notifications. No customer data in production or staging environments was accessed per SailPoint's SEC filing.
Fix
Follow guidance in your direct SailPoint notification. As a precaution, rotate any API tokens or service-account credentials issued for SailPoint integration over the past 12 months. Review SailPoint integration audit logs for unexpected activity from April onward. Ask SailPoint for the name of the third-party application whose flaw caused the intrusion - your organization may use it elsewhere.

UK water company hit by Cl0p had hackers hidden in its network for nearly 2 years - ICO fines South Staffordshire Water 964K

The UK Information Commissioner fined South Staffordshire Water 963,900 pounds over a 2022 Cl0p ransomware breach that exposed 633,887 customer and employee records. The penalty notice reveals attackers were inside the network nearly two years before discovery - initial access happened September 2020 via a malicious email attachment, but they were not detected until July 2022 when IT performance issues triggered an investigation. The ICO found basic security failures: an unpatched ZeroLogon flaw on two domain controllers, no principle of least privilege, an outsourced SOC monitoring just 5 percent of the IT estate, and Windows Server 2003 boxes still running in production.

Check
Pull your most recent domain-controller vulnerability scan. If nothing exists in the last 90 days, that is itself a finding. Verify ZeroLogon (CVE-2020-1472) is patched on every DC.
Affected
Any organization where domain controllers run unpatched, where the outsourced SOC monitors less than the full IT estate, where legacy systems like Windows Server 2003 remain in production, or where vulnerability scanning has not been performed in over 90 days. Critical national infrastructure and regulated industries face especially harsh penalties for these gaps.
Fix
Patch ZeroLogon (CVE-2020-1472) on every domain controller now if not already done. Confirm your SOC contract requires monitoring coverage of 100 percent of in-scope assets, with endpoint telemetry and authentication logs integrated. Run quarterly internal and external vulnerability scans and retain the reports for regulator inspection. Retire any Windows Server 2003 boxes still in production - extended support ended July 2015.

Instructure confirms ShinyHunters used Canvas XSS flaws to deface school login portals and pressure ransom

Instructure confirms that ShinyHunters exploited multiple cross-site scripting flaws in Canvas to deface school login portals on May 7, demanding the company and individual schools negotiate ransom by May 12. The flaws are in user-generated-content features of the free Free-for-Teacher Canvas environment and let the attacker grab authenticated admin sessions. This was a second hit following the original breach disclosed a week earlier that ShinyHunters claims netted 3.6 terabytes covering 8,809 educational organizations and 275 million student, teacher, and staff records. Instructure has taken Free-for-Teacher offline and applied additional safeguards; main Canvas has been restored since May 9.

Check
If your school uses Canvas, check whether students or staff saw the defaced login page on May 7. Review browser logs for any extension that interacted with injected ransom content.
Affected
Canvas instances accessed through the Free-for-Teacher environment between May 7 and Instructure taking it offline. The exploited cross-site scripting flaws sit in user-generated-content features that allowed JavaScript injection. Schools and universities running the paid Canvas LMS are also exposed to the underlying data breach that ShinyHunters used for extortion leverage.
Fix
Wait for Instructure's official statement on which XSS vulnerabilities were exploited and when Free-for-Teacher returns. For paid Canvas tenants, assume usernames, email addresses, course names, enrollment information, and direct messages were part of the 3.6TB leak and treat affected accounts as phishing targets. Force-rotate any API tokens issued for Canvas integrations and audit external integrations that accepted user-generated content.