Portend Breaches

Clalit Health Services February 25, 2026 • [ data leak, healthcare breach, cyber attack ] Handala claimed it breached Clalit Health Services and published patient files and internal documents online; Clalit said it was investigating the incident and that systems were operating normally.

YES Bank / BookMyForex February 24, 2026 • [ financial fraud, unauthorized transactions, prepaid forex card breach ] Attackers used compromised YES Bank and BookMyForex prepaid forex card details to conduct unauthorized USD-BRL transactions at multiple merchants. Roughly 5000 customers were affected and about $280000 in fraudulent transactions were processed before the activity was blocked.

LexisNexis Legal & Professional February 24, 2026 • [ data leak, cloud security breach, vulnerability exploitation ] FulcrumSec breached LexisNexis Legal & Professional AWS infrastructure through a vulnerable React container and exfiltrated company and customer data. The stolen dataset includes millions of database records and customer account information.

Undisclosed Middle East entity February 24, 2026 • [ ransomware, cyberattack, data breach ] Symantec and Carbon Black linked Lazarus to a Medusa ransomware attack against an undisclosed Middle East entity; the same reporting noted an unsuccessful attempt against a U.S. healthcare organization, which is not coded here as a successful event.

MediMap February 22, 2026 • [ data integrity, unauthorized access, healthcare breach ] MediMap was taken offline after an unauthorized user altered patient records, including names, ages, living status, and facility assignments, disrupting medication management across New Zealand providers. Some of the records were changed to designate the patient as dead or have them name changed to Charlie Kirk.

Grand Hotel Taipei February 21, 2026 • [ cyberattack, data leak, unauthorized access ] Grand Hotel Taipei reported a cyberattack on its systems and warned that guest reservation information may have been accessed. The potentially exposed data includes guest names and contact details, though the number of affected individuals has not been disclosed.

Russian military drone operators February 21, 2026 • [ data leak, monitoring systems, drone operators ] Ukrainian hacktivists from the Fenix cyber analytics center, supported by volunteers of the InformNapalm international intelligence community, compromised accounts of Russian military personnel and gained access to monitoring systems used by attack drone operators.

University of Mississippi Medical Center (UMMC) February 20, 2026 • [ ransomware, operational disruption, healthcare ] UMMC reported a ransomware attack triggered its emergency operations plan and forced it to cancel all clinic appointments and elective procedures at locations statewide while it assessed the intrusion and worked to restore systems. Public reporting described broad impacts to phone and electronic systems and significant disruption to patient care workflows, with staff reverting to manual processes. UMMC stated it was working with federal authorities (including the FBI) and external experts to investigate scope and recover operations; reporting at the time did not confirm whether patient data was exfiltrated, but the primary confirmed effect was major operational disruption across the health system.

Greenland government-related websites (multiple) February 20, 2026 • [ DDoS attack, hacktivism, service disruption ] Greenland media reported that several Greenlandic websites were hit by DDoS attacks on February 20, 2026. Naalakkersuisut stated it was monitoring the situation and assessed that the attacks were not dangerous or harmful to data, but could disrupt availability for short periods. Separate reporting around the same incident attributed the DDoS activity to the pro-Russian hacktivist collective NoName057(16). The confirmed primary effect described is temporary service availability disruption rather than data theft.

Greenland websites (multiple) during Danish/Greenland context February 20, 2026 • [ DDoS, hacktivism, cyberattack ] Portuguese-language reporting (from wire coverage) described Denmark denouncing multiple cyberattacks against websites in Greenland, characterized as distributed denial-of-service (DDoS) incidents. The reporting stated the activity was attributed to the pro-Russian hacktivist group NoName057(16) and occurred amid heightened geopolitical attention around the Arctic. The coverage emphasized availability disruption rather than data compromise, indicating the main impact was temporary unavailability or degraded access to targeted public-facing sites.

Scholengemeenschap Bonaire (SGB) February 20, 2026 • [ ransomware, phishing, data theft ] Antilliaans Dagblad reported that Scholengemeenschap Bonaire (SGB) was hit by an international ransomware attack, discovered internally after multiple servers failed to start. Europol reportedly informed police about the broader international attack around the same time. Initial analysis indicated one data server used mainly for archive files was infected, and a relatively small portion of data on that server was stolen; investigators were assessing whether the stolen archive files included personal data. SGB said regular education operations were not impacted because key systems ran in a secured cloud environment (including student/admin platforms and Microsoft Office), and it stated usernames/passwords were not stolen. The school reported filing a police report and notifying the BES data protection oversight body, and required staff and students to change passwords and remain vigilant for phishing.

OpenClaw / ClawHub ecosystem (AI assistant skills) â€“ multi-victim campaign February 19, 2026 • [ infostealer, AI assistant security, credential theft ] This TecMundo report describes security researchers warning about OpenClaw, a malware operation that, for the first time, is reported to specifically steal secrets tied to an AI assistant ecosystem (tokens/APIs/other assistant-related data). The article frames the activity as a broad distribution campaign (malicious skills/add-ons and infostealer behavior) that can compromise a victims digital identity by extracting authentication artifacts and credentials used to access accounts and services.

Advantest Corporation February 19, 2026 • [ ransomware, unauthorized access, incident response ] Advantest disclosed it detected unusual activity in its IT environment on February 15, 2026 (JST) and activated incident response, isolating affected systems and engaging external cybersecurity experts. Preliminary findings indicated an unauthorized third party may have accessed parts of the companys network and deployed ransomware. Advantest stated the investigation was ongoing and it had not yet confirmed whether customer or employee data was affected; it said it would notify impacted persons if data exposure is confirmed. The public reporting focused on containment and restoration actions and did not describe prolonged manufacturing shutdowns or downstream customer impacts.

Local entities in the Cayman Islands (malicious PDF campaign) February 19, 2026 • [ phishing, malware, email security ] RCIPS warned that a malicious PDF was being sent to local entities from a compromised email address. The PDF contained a VIEW PDF link that, when clicked, installs malware; authorities stated they were already aware of some local systems being compromised because recipients clicked the embedded link. The public advisory provided guidance to treat unexpected PDFs as suspicious, avoid clicking the embedded link, and report incidents.

Grange Dental Care February 19, 2026 • [ phishing, fraudulent invoices, system compromise ] Threat actors compromised Grange Dental Cares system and sent fraudulent invoice emails from the practice before the incident was quickly contained.

Undisclosed contractor supporting National Bank of Ukraine numismatic online store February 19, 2026 • [ data leak, supply chain attack, cyberattack ] Attackers breached an undisclosed contractor supporting the National Bank of Ukraine's numismatic online store, potentially exposing customer registration and delivery data; the online store was temporarily taken offline while the incident was investigated.

North Ferry Company February 18, 2026 • [ ransomware, operational disruption, payment system ] An editorial in the Riverhead News-Review stated that North Ferry Companys payment system froze under a ransomware attack the prior week, preventing customers from paying online while the FBI and U.S. Secret Service investigated. The piece uses the incident to argue local governments and businesses on Long Islands North Fork should treat ransomware as a recurring risk, referencing earlier attacks such as Southold Towns pre-Thanksgiving ransomware disruption. The editorial does not provide the exact attack date, ransomware group, access vector, or whether any data was stolen, but it describes a confirmed operational disruption to the ferry companys payment system consistent with ransomware.

Quitbro February 17, 2026 • [ data breach, data leak, PII ] In February 2026, the porn addiction app Quitbro allegedly suffered a data breach that exposed 23k unique email addresses. The data also included users years of birth, responses to questions within the app and their last recorded relapse time. The apps maker, Plantake, did not respond to multiple attempts to contact them about the incident.

Grupo Godo February 16, 2026 • [ DDoS attack, service availability disruption, cybersecurity protocols ] Grupo God reported that the websites of La Vanguardia, Mundo Deportivo, RAC1, and RAC105 experienced a coordinated DDoS attack starting around 06:08 that caused slow loading, intermittent errors, and in some cases total access failures. The group said the attack originated from infrastructure located in Germany and that technical teams activated cybersecurity protocols and mitigation measures to restore services, which returned to normal between approximately 07:30 and 07:40. The company stated that technical analysis found no unauthorized access to personal data and that the incident was limited to saturating systems with massive external traffic, making this a service availability disruption without confirmed data theft.

At least one Bitcoin owner February 15, 2026 • [ cryptocurrency, phishing, malicious javascript ] BleepingComputer described a campaign where threat actors abused Pastebin comments to distribute a ClickFix-style attack that tricks cryptocurrency users into executing malicious JavaScript in their browser. The technique enables attackers to hijack crypto swap transactions and redirect funds to attacker-controlled wallets.

Recent Breaches