At least one Afghan government worker
January 20, 2026
•[ phishing, malware, data exfiltration ]
The Record reported that attackers targeted Afghan government workers with phishing emails disguised as official correspondence from the office of the countrys prime minister. Researchers said the campaign, first detected in December, used a decoy document resembling a government letter (including a forged signature) to entice recipients in ministries/administrative offices to open it. Once opened, the document delivered malware dubbed FalseCub, designed to collect and exfiltrate data from infected computers. The report is focused on the campaign and malware behavior; it does not list specific compromised agencies, confirmed infection counts, or stolen data volumes, so impacts are coded as undetermined.
MRO Corp.
January 20, 2026
•[ data breach, third-party vendor incident, healthcare ]
DataBreaches summarized a disclosure that a data breach at third-party medical records vendor MRO Corp. exposed personal and health information of patients tied to two Deaconess Health System hospitals in Western Kentucky (Deaconess Henderson Hospital and Deaconess Union County Hospital), as well as affected clinic patients whose records were subject to release-of-information requests. The health system stated the breach did not affect Deaconess internal systems or its electronic medical records platform; the incident was contained to the ROI vendor environment. The reporting did not enumerate specific data elements in the excerpt.
Czech Public Procurement Portal
January 19, 2026
•[ DDoS attack, service disruption, cyberattack ]
Czech authorities reported that the countrys public procurement portal was taken out of service by hackers on Monday, January 19, 2026, in an incident described as a DDoS attack. The Ministry for Regional Development stated the portal was brought back online later that same day and the situation continued to be assessed. Officials emphasized that actual public procurement submissions are handled in a separate system that remained functional, limiting downstream operational disruption primarily to portal availability and access to related information services rather than halting procurement processes entirely.
Hyatt
January 19, 2026
•[ ransomware, data leak, double-extortion ]
A ransomware group calling itself NightSpire publicly claimed on January 19, 2026 that it attacked Hyatt and exfiltrated 48.5GB of data originating from the Hyatt Place Chelsea New York hotel. The actors published samples that appeared to include internal company documents such as invoices, expense reports containing employee names, contact information, signatures, and partner company data, and researchers noted the sample list suggested possible exposure of employee credentials for internal tools (raising risk of further compromise). The posting indicated a free download link, consistent with double-extortion tactics where stolen data is leaked if negotiations fail. At the time of reporting, Hyatt had not publicly confirmed the breach and the claims remained unverified by the company.
public.lu
January 19, 2026
•[ DDoS attack, denial-of-service, service disruption ]
Luxembourgs state web domain public.lu experienced a DDoS attack that made several government websites unreachable for roughly forty minutes in the morning (approximately 7:588:39). The national IT center (CTIE) confirmed the incident and stated the disruption was a traffic-flooding denial-of-service event rather than an attempt to expose sensitive data. Impacted sites reported included guichet.lu, Legalux, and CTIEs own web presence; services later returned to normal.
At least one US government official
January 19, 2026
•[ spearphishing, espionage, DLL sideloading ]
HackRead summarized Acronis research describing an espionage-oriented spearphishing campaign targeting U.S. government entities using Venezuela-related news as bait. The described chain used a lure archive and DLL sideloading to load a backdoor dubbed LOTUSLITE, enabling remote access actions such as file collection and command execution on compromised systems. The article stated the researchers attributed the activity with moderate confidence to the China-backed group Mustang Panda (aka HoneyMyte).
Starbucks
January 19, 2026
•[ phishing, credential theft, data breach ]
Starbucks disclosed a data breach affecting nearly 900 employees after attackers accessed Partner Central (the employee portal used to manage personal details, payroll, and benefits). Starbucks detected the incident on February 6, 2026 and said attackers obtained employee credentials through a phishing attack using fake websites mimicking the Partner Central portal. The company stated unauthorized access to employee accounts occurred between January 19 and February 11, 2026. Starbucks said some employees personal information may have been accessed,including names, Social Security numbers, dates of birth, and bank account and routing numbers, and that affected employees were offered identity-protection services.
Zendesk
January 18, 2026
•[ spam campaign, email abuse, unsolicited messaging ]
A large-scale spam campaign abused Zendesks support-ticket functionality, where unverified users can submit tickets that trigger automatic confirmation emails to the address provided. Beginning around January 18, 2026, recipients worldwide reported receiving hundreds of emails with unusual or alarming subject lines, generating confusion and disruption. The reports indicated that attackers were leveraging support platforms run by companies that use Zendesk for customer service; the immediate impact was mass unsolicited messaging rather than confirmed data theft.
Badr satellite
January 18, 2026
•[ broadcast hijacking, hacktivism, signal interference ]
The Record reported that several Iranian state television channels were briefly hijacked on Sunday (January 18, 2026), interrupting programming to air protest footage and anti-regime messages, including content associated with an exiled opposition figure. The affected channels were transmitted via the Badr satellite used to deliver provincial stations nationwide. Social media clips showed messages urging continued protests alongside solidarity footage. The incident appears to be a short-lived disruption to broadcast integrity/availability rather than a data theft event; the report did not confirm compromise of internal newsroom systems or theft of customer/employee data.
French national bank accounts database (FICOBA) / Ministry of Economy and Finance
January 18, 2026
•[ data leak, stolen credentials, unauthorized access ]
Frances Ministry of Economy and Finance stated that part of the national database listing bank accounts in France was illegally accessed, exposing information linked to about 1.2 million accounts. The ministry said that starting in late January 2026, a malicious actor used stolen credentials belonging to an official to access part of the database. The exposed data includes bank details (RIB/IBAN), identity and address of the account holder, and in some cases a tax identification number. Authorities said they restricted access, stopped the intrusion, and notified banks to warn customers to be vigilant.
An undislosed organization
January 16, 2026
•[ vulnerability exploitation, command-and-control, persistence ]
BleepingComputer reported that threat actors exploited critical SolarWinds Web Help Desk (WHD) vulnerabilities (including CVE-2025-40551 and CVE-2025-26399) in a campaign believed to have started around January 16, 2026, targeting at least three organizations. Attackers used the access to deploy legitimate tools (Zoho ManageEngine Assist, Cloudflare tunnels, Velociraptor) for persistence and command-and-control.
Zealthy
January 16, 2026
•[ data leak, health information, personal information ]
Records advertised as Zealthy data were offered for sale online in January 2026, with sample files showing patient personal and health information; Zealthy had not publicly confirmed the incident in the reporting reviewed.
Daniel L Kaler DDS PC
January 15, 2026
•[ data leak, unauthorized access, medical information ]
Attackers gained unauthorized access to systems at a Dakota Dunes dental practice and exfiltrated patient records from its databases. The breach exposed personal, medical, and financial information belonging to approximately 27000 individuals.
Kyowon Group
January 14, 2026
•[ ransomware, service outage, data exfiltration ]
Kyowon Group, a large South Korean conglomerate with major education/publishing and digital services operations, confirmed a ransomware incident after initially describing a suspected attack that caused service outages. In a follow-up update, the company stated the incident occurred in January around 10 a.m. and that an attacker exfiltrated data from its systems. Reporting cited Korean media indicating the event may have impacted a substantial portion of Kyowons infrastructure (roughly 600 of 800 servers) and that there are millions of registered accounts, though Kyowon said it was still determining whether stolen data included customer information. The company said it notified relevant authorities (including KISA), engaged security experts, and worked to restore services while conducting a detailed investigation into scope and data exposure.
Victorian Government Schools
January 14, 2026
•[ unauthorized access, data breach, student information ]
The Department of Education in Victoria, Australia notified parents that an unauthorized third party accessed a database holding student account information. According to disclosure reporting, attackers accessed current and former students personal and school-related fields including names, school names, year levels, school-issued email addresses, and encrypted passwords associated with those accounts. The department stated that more sensitive details such as birth dates, home addresses, and phone numbers were not exposed. Authorities and cyber experts were involved, and the department reset student passwords as a precaution, temporarily restricting access until new credentials were issued. At the time of reporting, investigators had not found evidence that the accessed data had been publicly released or shared onward.
Choice Hotels International
January 14, 2026
•[ social engineering, unauthorized access, PII leak ]
An unauthorized person used social engineering to gain access to a Choice Hotels application containing records on franchisees and franchise applicants, exposing names and Social Security numbers.
At least one organization in North America
January 13, 2026
•[ SEO poisoning, backdoored installers, vulnerabilities ]
It summarizes NCC Group findings about activity linked to a threat group called Silver Fox (including SEO poisoning used to distribute backdoored installers for widely used software and infections observed dating back to July 2025) and separately describes four vulnerabilities in the Johnson Controls PowerG building security radio protocol that could enable interception, impersonation, message replay, and broader compromise within radio range if unpatched or poorly mitigated.
Town of La Hague
January 13, 2026
•[ intrusion, email compromise, unauthorized access ]
The municipality of La Hague (France) announced it was the victim of an intrusion into its information system that impacted internal email accounts. Upon learning of the incident, the commune reported immediate actions including changing passwords for affected and administrator accounts, temporarily suspending email sending for impacted users, notifying relevant authorities (including ANSSI, CERT-FR, DINUM, CNIL, and local digital authorities), informing partners, and filing a formal complaint with the gendarmerie. Specialized law enforcement units began investigating the incident and its consequences while technical teams and service providers conducted parallel analysis. The announcement emphasized heightened vigilance against suspicious links/attachments and stated the municipality was working to restore system security.
AZ Monica
January 13, 2026
•[ cyberattack, operational disruption, healthcare ]
AZ Monica hospital in Antwerp reported a cyberattack discovered around 6:30 a.m. after staff observed a serious IT failure. As a precaution, the hospital shut down all servers across both campuses (Deurne and Antwerp/Harmonie), and law enforcement opened an investigation with the cyber crime unit on site. Because clinicians could not access electronic patient records, the hospital postponed non-urgent care and maintained emergency care at a reduced level. Reporting stated at least 70 planned operations were cancelled, roughly 70 patients were sent home, and seven patients were transferred to other hospitals as a precaution. Public reporting did not confirm encryption, ransom demands, or data theft, focusing primarily on operational disruption and patient-care impact.
ICE List site
January 13, 2026
•[ denial-of-service attack, data leak, personal information ]
A website known as ICE List, operated by Netherlands-based immigration activist Dominick Skinner and described as dedicated to leaking personal information about U.S. immigration and border personnel, went offline following a denial-of-service attack on the evening of January 13, 2026. Reporting said the outage occurred shortly after media coverage that Skinner planned to publish additional personal data allegedly obtained from a whistleblower. Skinner stated it was only possible to speculate on who directed the attack but claimed a large amount of traffic appeared to come from Russia, consistent with bot traffic intended to overwhelm the site and disrupt access.
