Omnicuris
June 8, 2025
•[ leak, healthcare ]
In June 2025, the Indian CME platform Omnicuris suffered a data breach that exposed approximately 200k records of healthcare professionals. The data included names, email addresses, phone numbers, geographic locations and other data attributes relating to professional expertise and training progress. Omnicuris is aware of the incident.
Lexington-Richland School District 5
June 5, 2025
•[ ransomware, phishing, education ]
On June 3, 2025, Lexington-Richland School District 5 detected a network intrusion following a phishing email that disrupted systems, delayed summer school and staff bonuses. Over 1.03 TB of data has been confirmed under review. Though Interlock claimed responsibility, this is unverified. The district refused ransom demands and is offering credit monitoring to affected individuals.
Chess.com
June 5, 2025
•[ hack ]
Chess.com says 4,500 people had data stolen during June breach.
Highlands Oncology Group
June 2, 2025
•[ ransomware, healthcare ]
Highlands Oncology Group notifies 113,575 people after ransomware attack by Medusa
Microsoft Outlook / Office 365 Customers
June 1, 2025
•[ social, phishing, technology ]
Threat actors abused Proofpoint and Intermedia email-link wrapping services to deliver phishing emails posing as Teams notifications and voicemails, leading to theft of Microsoft Outlook / Office 365 login credentials from global users. No encryption occurred; actor identity unknown.
Ingonyama Trust Board
June 1, 2025
•[ ransomware, malware, government ]
On June 1, 2025, the NightSpire ransomware group attacked the Ingonyama Trust Board in South Africa, stealing around 30 GB of potentially sensitive organizational data. Reports confirm exfiltration but no encryption or disruption of systems. The incident became public on August 29, 2025.
Multiple diplomatic and international organizations (particpating in Gaza peace talks)
June 1, 2025
•[ espionage, social, phishing ]
Homeland Justice, an Iranian MOIS-linked group, compromised an Omani Embassy email account and used it to deliver spear-phishing attachments to diplomats and international mediators engaged in Gaza ceasefire negotiations. This was an espionage operation with no service disruption reported. ~72K+ malicious Word emails sent via spear-phishing from a compromised Omani Embassy in Paris account; targeted Egyptian officials, U.S. and Qatari mediators, and organizations such as UN, UNICEF, World Bank, and African Union during Gaza ceasefire talks
WhatsApp/Apple
June 1, 2025
•[ espionage, malware, technology ]
A zero-click spyware campaign exploited WhatsApp and Apple zero-day flaws, infecting fewer than 200 civil society individuals globally between June and August 2025. Attackers likely state-sponsored.
West Texas Oral Facial Surgery
May 29, 2025
•[ hack, ransomware, leak ]
West Texas Oral Facial Surgery suffered a cyberattack beginning May 29, 2025, when INC RANSOM gained unauthorized access to its systems. Patient files including names, imaging data, and treatment reasons were exfiltrated, but no encryption of systems was reported. SSNs, financial information, and the electronic medical records system were not affected. The breach impacted over 11,000 individuals and was reported to HHS-OCR on August 2 and to the Texas Attorney General on August 4.
Farmers Insurance (via third-party vendor)
May 29, 2025
•[ social, phishing, finance ]
Over 1.1 million customers impacted by breach via Salesforce-linked vendor breach. Exfiltration involved social engineering/vishing and malicious OAuth apps, with ShinyHunters and Scattered Spider providing access and exfiltration. Two years of identity protection offered.
ColoCrossing
May 24, 2025
•[ leak, misconfiguration, technology ]
In May 2025, hosting provider ColoCrossing identified a data breach that impacted customers of their ColoCloud virtual server product. ColoCrossing advised the incident was isolated to their cloud/VPS platform and stemmed from a single sign-on vulnerability. 7k email addresses were exposed in the incident along with names and MD5-Crypt password hashes.
Operation Endgame 2.0
May 23, 2025
•[ ransomware, malware, government ]
In May 2025, a coalition of law enforcement agencies took down the criminal infrastructure behind the malware used to launch ransomware attacks in a new phase of "Operation Endgame". This followed the first Operation Endgame exercise a year earlier, with the latest action resulting in 15.3M victim email addresses being provided to HIBP by law enforcement. A further 43.8M victim passwords were also provided for HIBP's Pwned Passwords service.
ApolloMD (Business Associate to 11 Physician Practices)
May 22, 2025
•[ ransomware, malware, healthcare ]
ApolloMD confirmed unauthorized access to its network on May 2223 2025 affecting 11 affiliated physician practices. The Qilin ransomware group claimed to have stolen approximately 238 GB of data, including patient and insurance information. ApolloMD did not confirm encryption or ransom payment.
Independent film makers
May 21, 2025
•[ espionage, malware, government ]
While detained in May 2025, filmmakers phones were allegedly infected with FlexiSPY; forensic analysis ties installation to police custody (May 21). Devices were returned July 10. CPJ/Citizen Lab publicly detailed findings on Sept 1012; The Standard reported the allegations Sept 10.
Union County (Ohio) government / county systems
May 18, 2025
•[ ransomware, malware, government ]
A ransomware attack on Union County, Ohios public administration systems led to both encryption and data exfiltration. Data was stolen from internal government databases containing personal, financial, and biometric records of 45,487 individuals. Approximately 12 systems were encrypted, causing partial disruption for several days. No ransomware group has claimed responsibility.
Columbia University IT Systems
May 16, 2025
•[ leak, education ]
An unauthorized actor gained access to university systems on May 16, 2025, and exfiltrated approximately 460GB of sensitive personal, financial, and health data following an IT outage; patient records from the medical center were unaffected; notifications are underway
PDI Health
May 14, 2025
•[ ransomware, leak, malware ]
On May 14, 2025, PDI Health discovered a cyberattack when the Everest ransomware group infiltrated its internal systems and exfiltrated sensitive patient records. The group leaked samples and claimed responsibility on the dark web, revealing more than 373,000 records stolen. No evidence of encryption or service disruption was confirmed.
Tiffany & Co
May 12, 2025
•[ leak, retail ]
Tiffany determined on 09/09/2025 that an unauthorized party accessed gift cardrelated customer data from an incident occurring ~05/12/2025; 2,590 customers affected; exposed data include PII and gift card number + PIN; separate earlier Korea/vendor incident noted but relation unclear.
Anchorage Neighborhood Health Center
May 9, 2025
•[ leak, healthcare ]
Anonymous group claims theft of ANHC patient records (10k, later 60k); FBI aware; at least one patient contacted with personal data. ANHC initiated investigation and took systems offline; scope/details pending.
SonicWall
May 9, 2025
•[ hack, brute-force, technology ]
Threat actors brute-forced the MySonicWall portal and accessed cloud backup firewall preference files for a subset of customers (<5%). SonicWall terminated access, issued Essential Credential Reset guidance, and involved law enforcement. Risk centers on reuse of secrets/config intelligence for follow-on compromises.
