Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: government (5 articles)Clear

Case study reveals US county paid $1 million to data-theft extortion group

A Ransom-ISAC case study, built from a leaked negotiation chat and the blockchain trail, reconstructs how a US government entity quietly paid about $1 million to an extortion group called Kairos to keep stolen files from being published. Notably, Kairos never encrypted anything: there was no locker and no decryption key, just theft and the threat to leak, with special pressure applied to a folder of prosecutors' records. The month-long negotiation fell from a $3 million demand to a $1 million payment. The case reflects a broader shift, with roughly half of recent extortion now skipping encryption entirely, since data theft alone provides enough leverage.

Check
Review whether you could detect the signs seen here: password-guessed logins, repeated failed logins, and large outbound transfers to burner file-sharing links, and confirm sensitive record stores are segmented and monitored.
Affected
Organizations holding sensitive records, especially smaller government bodies with limited resources; data-theft extortion needs no ransomware, only stolen files and the threat to publish, to force a large payment.
Fix
Enforce multi-factor authentication and alert on failed logins, segment and monitor sensitive record stores, watch for large outbound transfers, and treat any promise to delete stolen data as worthless.

DHS confirms breach of unclassified Homeland Security information-sharing network

The US Department of Homeland Security has confirmed a breach of the Homeland Security Information Network, an unclassified but sensitive platform that federal, state, local, and private-sector partners use to share threat information and coordinate operations. The intrusion is believed to have happened between late May and early June, and according to reporting, the attackers targeted HSIN servers and an associated SharePoint collaboration system. DHS says it isolated the affected systems, that classified networks were not touched, and that the platform remains operational, but it has not attributed the attack or confirmed whether documents were stolen. Even without confirmed theft, compromising this coordination hub is operationally significant.

Check
Organizations that connect to or share data through HSIN should watch for follow-on phishing or misuse of any exposed coordination data, and confirm the security of their own SharePoint collaboration systems.
Affected
Federal, state, local, and private-sector partners who use HSIN to share sensitive information; the breach hit HSIN servers and a linked SharePoint system, though data theft is not confirmed.
Fix
Patch and harden SharePoint and other collaboration platforms, segment sensitive information-sharing systems, enforce phishing-resistant MFA, and monitor for unusual access, given attackers are actively targeting SharePoint and coordination hubs.

Texas Parks and Wildlife vendor breach exposes 3 million license holders

The Texas Parks and Wildlife Department says a breach at the third-party vendor that runs its hunting and fishing license sales exposed personal data for 3,087,721 customers, in what officials call the state's largest government data breach this year. The exposed information includes driver's license details, passport numbers where provided, email addresses, phone numbers, and home addresses; the department says Social Security numbers, dates of birth, and financial data were not taken. Texas Cyber Command detected the intrusion, which reached customer profile data through the vendor's systems. Because driver's license and passport numbers cannot be reset, affected people face lasting identity-theft and phishing risk.

Check
Texas hunting and fishing license holders should enroll in the offered Kroll credit monitoring before September 14, watch for phishing referencing licenses or state agencies, and review financial statements for fraud.
Affected
The 3,087,721 Texas hunting and fishing license customers whose driver's license, passport, and contact details were exposed through the department's third-party license vendor; minors were reportedly not affected.
Fix
Place a credit freeze or fraud alert with the major credit bureaus, enroll in the free monitoring, and stay alert to identity fraud. Organizations should tighten third-party vendor access controls and monitoring.

Lithuania investigates theft of 600,000 state registry records; opposition leader alleges Russian intelligence; Centre of Registers chief resigns

Lithuanian authorities are investigating the theft of around 600,000 records from the country's Centre of Registers, which holds state registry data. The breach was detected in early April and disclosed publicly only after weeks of internal investigation. Centre of Registers chief Adrijus Jusas resigned Monday, citing years of underinvestment that would need ~€60 million to address. The leader of Lithuania's conservative opposition alleges 'hallmarks of a Russian intelligence operation' and warns the data (including residential addresses linked to sensitive government personnel) could enable surveillance, phishing, and sabotage planning. Lithuanian prosecutors have neither confirmed nor denied Russian involvement.

Check
If your organization has Lithuanian operations or staff with state registry records, treat residential addresses and personal identifiers as compromised. Monitor for targeted phishing and impersonation.
Affected
Lithuanian citizens and residents whose data is held by the Centre of Registers. Sensitive government personnel are at heightened risk per the opposition leader's warning about surveillance use.
Fix
Lithuanian operations: update access credentials per government guidance. Watch for spear-phishing using residential-address pretexts. NATO/EU defenders: assume similar Eastern European registries are next given the precedent.

European Commission breached through AWS cloud account - 350GB of data reportedly stolen

Hackers broke into the European Commission's Amazon Web Services account and reportedly stole over 350GB of data, including databases and employee information. The breach was discovered on March 24 and affected the cloud infrastructure hosting Europa.eu websites. The Commission says its internal systems weren't impacted. The attacker isn't demanding ransom - they plan to publish the data instead.

Check
Review your organization's AWS account security, especially IAM policies and access keys.
Affected
Any AWS account using static credentials, weak IAM policies, or missing MFA on privileged accounts.
Fix
Enforce MFA on all AWS accounts. Rotate access keys regularly. Audit IAM permissions for least-privilege. Enable CloudTrail for all regions.