IntraCare
March 20, 2026
•[ unauthorized access, extortion, data breach investigation ]
IntraCare disclosed unauthorized access to its network on March 20, 2026, while outside reporting linked the incident to a The Gentlemen extortion claim; the organization said it was still investigating what information, if any, was impacted.
Neukölln district heating plant
March 20, 2026
•[ ransomware, internal IT systems, accounting ]
Berlin police confirmed a ransomware attack against the Neuklln district heating plant that had been known since March 20, 2026; reporting said internal IT systems including accounting and internal communications were affected, while technical systems and heat supply remained unaffected.
Los Angeles City Attorney’s Office
March 20, 2026
•[ data leak, unauthorized access, third-party breach ]
World Leaks posted an archive of approximately 7.7 TB / 337,000 files after unauthorized access to a third-party discovery-transfer tool used by the Los Angeles City Attorneys Office; the data included LAPD civil litigation discovery files, personnel and disciplinary records, witness information, medical information, and investigative materials, while LAPD said its own systems were not breached.
GFN.am
March 20, 2026
•[ unauthorized access, data leak, PII ]
GFN.am, NVIDIA's regional GeForce NOW alliance partner in Armenia, suffered unauthorized access to partner-operated infrastructure between March 20 and March 28, 2026. The breach affected Armenian GeForce NOW users registered before March 9 and exposed personal account information including names, email addresses, phone numbers, dates of birth, usernames, membership status, and two-factor authentication status. NVIDIA said its own infrastructure was not affected. A forum actor using the ShinyHunters name claimed the breach, but reporting indicates the real ShinyHunters group denied involvement, so the specific perpetrator remains unidentified.
The Ukrainian State Hydrology Agency
March 19, 2026
•[ phishing, vulnerability exploitation, XSS ]
BleepingComputer reported that Russia-linked APT28 (GRU) exploited a Zimbra Collaboration Suite vulnerability (CVE-2025-66376) in attacks targeting Ukrainian government entities. Researchers described a phishing operation (Operation GhostMail) where a single HTML email body triggered obfuscated JavaScript exploiting the Zimbra XSS flaw when opened in a vulnerable webmail session. The payload was described as harvesting credentials, session tokens, backup 2FA codes, browser-saved passwords, and mailbox contents going back 90 days, with exfiltration over DNS and HTTPS. One referenced target was the Ukrainian State Hydrology Agency.
Foster City
March 19, 2026
•[ cyberattack, service disruption, network intrusion ]
GovTech (via SFGATE/TNS) reported a cyberattack that left Foster City (Bay Area; ~33,000 residents) largely paralyzed for five consecutive days after suspicious activity was discovered on the citys computer network on Thursday morning (Mar. 19, 2026). City officials said most computer systems were taken offline as a precaution while independent cybersecurity specialists investigate and remediate. Most government services were suspended with no restart timeline provided, while police and 911 services continued operating. Public reporting did not confirm the intrusion vector, ransomware group, or whether data was exfiltrated; the confirmed primary effect is prolonged disruption of municipal services.
Dutch Ministry of Finance
March 19, 2026
•[ cyberattack, unauthorized access, internal system compromise ]
The Record reported that the Dutch Ministry of Finance is investigating a cyberattack that compromised some internal systems. Officials said the breach was flagged on March 19, 2026 after a third party alerted the ministry to suspicious activity, and internal security teams found unauthorized access to several systems used by a department. Authorities said the affected systems were part of the ministrys primary infrastructure and were taken offline quickly once detected. The report did not confirm data theft or identify the attacker; the confirmed impact is internal-system compromise and operational disruption from systems being taken offline during response.
Trivy
March 19, 2026
•[ supply chain attack, malicious code, credential-stealing malware ]
TeamPCP compromised Trivy-related release components and published malicious code that turned trusted Trivy software artifacts into delivery vehicles for credential-stealing malware.
Berkadia
March 19, 2026
•[ ransomware, finance, technology ]
In March 2026, the commercial real estate finance company Berkadia was the target of a ShinyHunters "pay or leak" extortion campaign. The group subsequently published data they alleged was taken from Berkadia's Salesforce instance, including over 300k unique email addresses as well as names, physical addresses and phone numbers, among other data.
P3 Global Intel
March 18, 2026
•[ data breach, data leak, personally identifiable information ]
DataBreaches summarized reporting that hackers calling themselves The Internet YIFF Machine stole data from cloud-based tip and intelligence management company P3 Global Intel and provided it to DDoSecrets. The exposed dataset includes millions of tips and extensive personal data about people accused in tips, including names, email addresses, dates of birth, phone numbers, home addresses, license plate numbers, Social Security numbers, and criminal histories. The platform is used by thousands of clients, including Crime Stoppers programs, local and federal law enforcement agencies, public schools, and the U.S. military, so the breach has broad downstream exposure across many organizations.
Aura
March 18, 2026
•[ voice phishing, vishing, data leak ]
BleepingComputer reported Aura confirmed an incident where an unauthorized party gained access to nearly 900,000 records containing names and email addresses. Aura said the incident was caused by voice phishing targeting an employee and that the exposed data originated from a marketing tool used by a company acquired in 2021. Aura stated the event exposed information for 20,000 current and 15,000 former customers within the larger marketing dataset and that compromised customer information includes full names, email addresses, home addresses, and phone numbers, while emphasizing SSNs, account passwords, and financial information were not compromised. ShinyHunters claimed responsibility and said it stole 12GB of files and leaked them.
Duet Night Abyss
March 18, 2026
•[ malware, infostealer, supply chain attack ]
Kotaku reported that on March 18, 2026 Duet Night Abyss players PCs were infected after a malicious update was pushed through the games launcher. The malware was identified by users antivirus products as 'Trojan:MSIL/UmbralStealer.DG!MTB' (Umbral Stealer), an infostealer capable of logging keystrokes, taking screenshots, and attempting to harvest sensitive information such as passwords and cryptocurrency-related data. The developers said they addressed the issue and apologized, describing it as an external malicious attack spread via the launcher update.
Infinite Campus
March 18, 2026
•[ unauthorized access, data leak, account compromise ]
An unauthorized actor accessed an Infinite Campus employee's Salesforce account, exposing names and contact information for school staff; Infinite Campus said no student databases were accessed.
Yeshiva World News
March 18, 2026
•[ defacement, hacktivism, website downtime ]
Yeshiva World News was defaced with pro-Iran imagery and Farsi text on March 18, 2026, knocking the homepage offline and leaving the site on a maintenance page while restoration work continued.
At least one individual
March 18, 2026
•[ phishing, malware, social engineering ]
Cyber fraudsters in Navi Mumbai impersonated Mahanagar Gas Limited officials and sent malicious WhatsApp files or links that compromised victims' phones and enabled unauthorized access to their bank accounts.
Sterling Bank Plc
March 18, 2026
•[ CVE-2025-55182, remote code execution, data leak ]
ByteToBreach exploited CVE-2025-55182 in Sterling Banks internet-facing pilot infrastructure on March 18, 2026, gaining unauthenticated remote code execution, conducting internal reconnaissance, and publishing artefacts that Web Security Lab assessed as technically substantiating compromise of customer and employee records.
Infinite Campus
March 18, 2026
•[ ransomware, leak, technology ]
In March 2026, the student information system Infinite Campus was targeted in a ShinyHunters "pay or leak" extortion campaign. The group subsequently published data they alleged was taken from Infinite Campus, containing 137k unique email addresses along with names, phone numbers, physical addresses and support tickets. Infinite Campus subsequently sent notifications, advising that the exposed data largely consisted of "names and contact information for school staff" and that "the majority is directory information commonly found on school websites".
Nordstrom
March 17, 2026
•[ phishing, cryptocurrency scam, SSO compromise ]
Cybernews reported Nordstrom customers received fraudulent emails from an official Nordstrom email address promoting a St. Patricks Day double your crypto scam. Reporting cited a source saying the breach occurred via an Okta SSO to Salesforce compromise, and scam emails were sent using Salesforce Marketing Cloud. Analysis of the scam wallet address indicated the attacker received a little over $5,600 in cryptocurrency.
The Gauteng Provincial Governmen
March 17, 2026
•[ ransomware, data leak, data exfiltration ]
Daily Maverick reported a ransomware-as-a-service syndicate calling itself XP95 claimed it stole 3.8TB of data from the Gauteng Provincial Government. The article describes the breach as a major failure of basic cybersecurity infrastructure and governance, with a massive dataset reportedly lifted/exfiltrated and allegedly offered for sale. The report did not provide a definitive public inventory of affected systems or all data elements, but characterized the exposure as potentially spanning personnel, procurement, and other government records at very large scale.
Sweden's BankID
March 17, 2026
•[ data leak, credential leak, source code leak ]
Biometric Update reported a hacker group calling itself ByteToBreach claimed a breach at CGIs Swedish division, leaking code and credentials tied to systems used by Swedish public authorities and linked in reporting to BankID authentication flows (including for the Swedish Tax Agency). The article said other databases containing personal data and electronic signature documents were allegedly being sold separately. The report is based on attacker claims and leak assertions and does not provide an official confirmation of full scope from CGI or BankID in the excerpt.
