Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: data-breach (31 articles)Clear

Japanese utility Kyushu Electric loses drive holding 10.9 million customer records

Kyushu Electric Power, one of Japan's largest utilities, has disclosed a physical security incident: a storage drive containing the personal data of more than 10.9 million customers went missing. Because the exposure stems from lost media rather than a network intrusion, the risk depends largely on whether the drive was encrypted, a detail that determines if the data is readable by whoever finds it. The incident is a reminder that data-governance failures, like unencrypted or poorly tracked portable storage, can expose as many records as a sophisticated hack. Affected customers should watch for fraud and phishing attempts referencing their utility account.

Check
Kyushu Electric customers should watch statements and inboxes for fraud or phishing referencing their utility account; organizations should audit how portable drives holding personal data are encrypted and tracked.
Affected
More than 10.9 million Kyushu Electric Power customers whose personal data was stored on the missing drive; exposure severity depends on whether that storage was encrypted.
Fix
Encrypt all portable and removable media holding personal data, maintain strict chain-of-custody and inventory for such drives, and minimize the data placed on movable storage in the first place.

Attackers post fake breach notices to Maine's public disclosure portal

In an unusual misinformation campaign, fraudulent data-breach notices were submitted to Maine's official Attorney General breach portal and published before anyone verified them, forcing named companies to issue denials. One filing falsely claimed a Discord breach affecting more than 10 million people, submitted not by a company representative but by an individual using a personal Gmail address, a placeholder phone number, and impossible dates. Because the portal is public and a listing does not mean a breach is confirmed, the fakes can spread fear, damage reputations, and seed convincing phishing lures. It highlights how trusted disclosure channels can be weaponized.

Check
Monitor state breach-notification portals for filings naming your organization, and verify any breach claim about a vendor or partner through that company's official channels before acting on it.
Affected
Any organization that can be named in a fraudulent filing, and the public and journalists who treat a portal listing as confirmation; the underlying portal trust model is the weakness.
Fix
Establish monitoring and a rapid-denial process for fake filings, brief staff and customers to confirm breach notices via official sources, and press regulators to add basic submitter verification.

ShinyHunters extorts Oracle PeopleSoft customers in widening data-theft spree

The extortion group ShinyHunters is running a wave of data-theft attacks against organizations using Oracle PeopleSoft, the enterprise software that large institutions rely on for HR, payroll, finance, and student records. Both cloud and on-premises instances are affected, and the gang claims data from more than 100 organizations. Attackers typically log in with stolen employee credentials, move through the PeopleSoft environment, and exfiltrate large datasets before demanding a Bitcoin ransom. A confirmed victim is the University of Nottingham, where a breach of an Oracle student-records system exposed 454,635 accounts. Researchers have shared attacker IP addresses and noted the use of MeshCentral remote-access agents.

Check
Review PeopleSoft access logs for logins from unfamiliar IPs or locations, check for MeshCentral or other unexpected remote-access agents, and confirm whether your org received a ShinyHunters extortion demand.
Affected
Organizations running cloud or on-premises Oracle PeopleSoft, particularly those with reused or phishable employee credentials and limited monitoring of administrative access to HR, finance, and student-records modules.
Fix
Enforce phishing-resistant MFA on all PeopleSoft accounts, rotate exposed credentials, block the shared attacker IPs, remove unauthorized remote-access tools, and tighten access controls and logging on instances.

ServiceNow API flaw let attackers query customer instance data

ServiceNow has quietly told affected customers that attackers exploited an unauthenticated flaw in one of its API endpoints to pull data from hosted customer instances. The company applied a fix to hosted instances on June 5 that restricts the endpoint to authenticated users, and confirmed attackers had successfully queried customer instance tables, though it did not say what data was taken. ServiceNow instances routinely hold sensitive material such as IT support tickets, employee records, asset inventories, and internal documentation, and support tickets in particular often contain credentials, API tokens, and secrets shared during troubleshooting. ServiceNow has opened support cases with the customers it believes were impacted.

Check
Check your ServiceNow support portal for a case opened by ServiceNow about this incident, and review instance access and API logs for unexpected unauthenticated queries before June 5.
Affected
Organizations running hosted ServiceNow instances whose data could be reached through the vulnerable unauthenticated API endpoint before the June 5 fix, especially those storing secrets in support tickets.
Fix
Confirm the June 5 fix applied to your instance, rotate any credentials, API tokens, or secrets that appeared in support tickets, and tighten access controls and logging on the instance.

Nightclub operator RCI breach exposes 40,000 records via website IDOR flaw

RCI Hospitality, one of the largest US adult-nightclub operators, has confirmed that a breach exposed the personal data of 40,178 people, mostly independent contractors. Attackers got in through an insecure direct object reference (IDOR) flaw on one of the company's IIS web servers, a common web bug where simply changing an ID number in a web address lets you pull up someone else's record. The intrusion began March 19 and was spotted four days later. Stolen data includes names, dates of birth, Social Security numbers, and driver's license numbers. RCI says no customer or financial systems were touched, and the data has not yet appeared publicly.

Check
If you received an RCI breach notice or worked with RCI, watch for identity fraud. Developers should test their own web apps for IDOR by altering record IDs in authenticated requests.
Affected
Roughly 40,178 people, mostly independent contractors of RCI Hospitality, whose names, birth dates, Social Security numbers, and driver's license numbers sat in the breached IIS web server.
Fix
Affected individuals should enroll in any offered credit monitoring and freeze their credit. Similar orgs should add server-side authorization checks on every object reference and pen-test for IDOR.

HVAC distributor Baker breach exposes 102,000 accounts to ShinyHunters

Baker Distributing, one of the largest US wholesalers of heating, cooling, and refrigeration equipment, has been hit by the extortion group ShinyHunters, which stole company data and posted it after the company did not pay. Breach-tracking service Have I Been Pwned has now confirmed 102,935 affected accounts; the gang originally claimed more than 260,000 stolen records pulled from Salesforce and internal SharePoint sites, including HR documents. ShinyHunters has been on a tear this year, breaking into corporate SaaS accounts by tricking IT help desks into resetting credentials. Exposed personal and business data fuels follow-on phishing aimed at Baker's customers and staff.

Check
If you work with or for Baker Distributing, check whether your email appears in Have I Been Pwned and watch inboxes for HVAC or invoice-themed phishing referencing the breach.
Affected
Baker Distributing employees, contractors, and business customers whose personal and corporate data sat in the breached Salesforce and SharePoint systems; 102,935 accounts confirmed.
Fix
Reset passwords reused with Baker accounts and enable phishing-resistant MFA. For your own org, lock down help-desk identity resets with callback verification to blunt ShinyHunters-style social engineering.

Booking.com confirms data breach exposing guest reservation details - phishing wave already targeting travelers

Booking.com has confirmed unauthorized access to its systems that exposed guest reservation data including names, email addresses, phone numbers, postal addresses, booking details, and any messages shared with accommodation providers. The company began emailing affected customers over the weekend but did not send alerts via the Booking.com app, creating confusion about whether the notification emails were legitimate. Booking.com says financial data was not accessed. The company has reset PIN numbers for affected reservations. The number of impacted users has not been disclosed, though Booking.com lists 6.8 billion bookings since 2010 across 30+ million properties. Reddit users are already reporting scam messages from people who appear to have real reservation details, suggesting attackers are using the stolen data for targeted phishing. The Register notes this follows a similar 2021 breach pattern where attackers compromised hotel staff logins to access the platform.

Check
If you or your employees have upcoming Booking.com reservations, be on high alert for phishing emails and messages that reference real booking details. The scams will look convincing because the attackers have the actual reservation data.
Affected
Anyone with active or recent Booking.com reservations. The exposed data (names, emails, phones, addresses, booking details, messages to hotels) gives attackers everything needed for highly targeted phishing.
Fix
Do not click links in any emails claiming to be from Booking.com or your booked hotel - go directly to booking.com to check your reservations. Verify that your booking PIN has been reset (Booking.com says they've done this automatically). Watch for emails requesting payment changes, 'verification' of card details, or 'reservation confirmations' that link to non-booking.com domains. If you uploaded passport or ID copies for your reservation, monitor for identity fraud. Note that passport/ID exposure was not confirmed by Booking.com but many hotels require these documents.

CERT-EU confirms TeamPCP breached European Commission via Trivy - 30 EU entities exposed, 340GB leaked

The European Commission cloud hack we first reported on March 29 is far worse than initially disclosed. CERT-EU now confirms TeamPCP used an AWS API key stolen through the Trivy supply chain attack to breach the Commission's Amazon cloud environment on March 10 - five days before anyone noticed. The stolen data includes personal information, usernames, and 52,000 email files across 71 hosted clients: 42 internal Commission departments and at least 29 other EU entities. ShinyHunters published the full 340GB dataset on their leak site.

Check
If your organization interacted with any Europa.eu hosted service, assume your contact data may be in the leaked dataset.
Affected
42 internal European Commission clients and at least 29 other EU entities using the Europa.eu web hosting service. Any organization that exchanged emails with these entities may have data in the leak.
Fix
Monitor for credential exposure from the leaked dataset. If you used Trivy in CI/CD pipelines, rotate all AWS keys and pipeline secrets immediately. Block scan.aquasecurtiy[.]org and 45.148.10.212. Pin Trivy to v0.69.3, trivy-action to v0.35.0, setup-trivy to v0.2.6.

Hims & Hers discloses breach after ShinyHunters steal millions of Zendesk support tickets via Okta SSO

Telehealth giant Hims & Hers - nearly $1 billion in annual revenue, millions of subscribers - disclosed that hackers stole customer support tickets from its Zendesk instance between February 4-7. The ShinyHunters extortion gang conducted the breach by compromising Okta SSO credentials through social engineering, then pivoting into the Zendesk platform. Stolen data includes names, contact information, and details from support requests. No medical records or doctor communications were compromised. The company took two months to disclose.

Check
Review whether your organization uses Zendesk with Okta SSO integration - this same attack pattern has hit multiple companies recently.
Affected
Any organization using Zendesk integrated with Okta SSO for authentication. Hims & Hers, ManoMano, and Crunchyroll were all breached through this pattern.
Fix
Enforce phishing-resistant MFA (FIDO2 hardware keys) on all Okta accounts - standard TOTP/push MFA can be bypassed by social engineering. Audit Okta sign-in logs for SSO sessions accessing Zendesk from unusual locations. Review third-party SaaS integrations connected through your identity provider.

CareCloud confirms hackers accessed patient health records in 8-hour breach

Healthcare software company CareCloud disclosed to the SEC that hackers breached one of its six electronic health record environments on March 16, gaining access to patient medical data for approximately eight hours. The company serves over 40,000 healthcare providers. It's still investigating whether data was exfiltrated, but classified the incident as material on March 24 due to the sensitivity of the records. No ransomware group has claimed the attack.

Check
If your organization uses CareCloud Health for EHR, contact CareCloud for specifics on whether your environment was affected.
Affected
CareCloud Health EHR platform users. One of six EHR environments was compromised.
Fix
Monitor for CareCloud's breach notification updates. Review access logs for unusual activity around March 16. Ensure MFA is enforced on all EHR system access. Prepare for potential patient notification requirements.