Portend Breaches

Passenger ferry owned by GNV December 17, 2025 • [ malware, foreign interference, sabotage ] French authorities reported that the passenger ferry 'Fantastic' (operated by Italian shipping company Grandi Navi Veloci, GNV) was infected with malware while docked in the port of Ste, France. Officials stated the malware could have enabled the ship to be remotely controlled, prompting an investigation into possible foreign interference. Prosecutors said a Latvian national was arrested and charged after the malware was discovered.

Naftali Bennett's phone December 17, 2025 • [ data leak, hacking ] Israel National News reported that the Iranian-affiliated hacker group Handala claimed it infiltrated Naftali Bennetts personal iPhone 13 as part of Operation Octopus and published files it said were extracted from the device, including a contact list with names of senior Israeli officials, internal communications, sensitive documents, and personal photos. The outlet also reported Bennett responded that the matter was being handled by security authorities. Subsequent coverage elsewhere reported Bennetts office said tests indicated the phone was not hacked, though content tied to his accounts/contacts circulated online; the exact extent of compromise is therefore not fully verified beyond an unauthorized leak claim.

Pass'Sport December 17, 2025 • [ data leak ] In December 2025, data from France's Pass'Sport program was posted to a popular hacking forum. Initially misattributed to CAF (the French family allowance fund), the data contained 6.5M unique email addresses affecting 3.5M households. The data also included names, phone numbers, genders and physical addresses. The Ministry of Sports subsequently released a statement acknowledging the incident.

Pine Bluff School District December 17, 2025 • [ business email compromise, phishing, fraud ] A compromised Pine Bluff School District email account was used in a business email compromise scheme to insert fraudulent wiring instructions into legitimate vendor correspondence, causing the district to transfer approximately $3.2 million to scammers in December 2025.

At least one organization in the energy sector December 16, 2025 • [ energy sector, unauthorized access, operational disruption ] An organization operating in the energy sector was targeted by cyber activity that sought to access or interfere with systems supporting energy operations.

APOIA.se December 16, 2025 • [ data breach, data leak, PII exposure ] In December 2025, a database of the Brazilian crowdfunding platform APOIA.se was posted to an online forum. In January 2026, the company confirmed it had suffered a data breach. The incident exposed 451k unique email addresses along with names and physical addresses.

ASC Ortho Management Company, LLC d/b/a Aligned Orthopedic Partners December 16, 2025 • [ email environment breach, unauthorized access, personal information ] ASC Ortho Management Company, LLC d/b/a Aligned Orthopedic Partners identified unusual activity in its email environment on December 8, 2025 and later determined that an unknown actor had unauthorized access to the email environment between November 16 and December 16, 2025, potentially accessing certain emails and files containing personal and protected health information. Aligned Orthopedic mailed notices to affected individuals on April 17, 2026.

SoundCloud December 15, 2025 • [ data leak, ddos ] SoundCloud disclosed that it detected unauthorized activity involving an ancillary service dashboard and investigated the incident with external experts. SoundCloud said an attacker accessed information for roughly 20% of user accounts, limited to email addresses and information visible on public SoundCloud profiles, and stated that passwords and payment information were not exposed. The company implemented additional security controls, forced logouts and token rotations, and temporarily restricted some access while mitigating follow-on activity; it also reported experiencing a DDoS attack that contributed to short-lived service availability issues on the web version.

The Minersville School District December 15, 2025 • [ malware ] Minersville Area School District reported a cybersecurity incident after security tools detected attempts to install malware on certain district systems on Monday, December 15, 2025. As a precaution, the district took its computer network offline to contain any potential infection and engaged cybersecurity specialists to investigate the activity, validate system integrity, and plan a safe restoration. The network shutdown disrupted district operations and led to the closure of schools on Tuesday, December 16, 2025. Public reporting did not confirm whether data was accessed or exfiltrated, and the incident was described primarily as a malware-install attempt and precautionary outage.

Dainichiseika Color & Chemicals Mfg. (Vietnam subsidiary) December 15, 2025 • [ ransomware, unauthorized access, data leak ] Dainichiseika Color & Chemicals Manufacturing reported that its consolidated subsidiary in Vietnam (DAINICHI COLOR VIETNAM CO., LTD.) suffered unauthorized access that resulted in ransomware infection of internal servers and related systems. On December 15, 2025, the company confirmed that files on servers and PCs had been encrypted and rendered unreadable, consistent with a ransomware data attack. Affected devices were disconnected from internal networks and the internet to prevent spread, and IT specialists were dispatched to support recovery and forensic analysis. The company stated that key subsidiary operations such as manufacturing and shipping continued as usual and that the extent of information leakage, if any, was still being assessed.

Petroleos de Venezuela (PDVSA) December 15, 2025 • [ ransomware, state-sponsored, service disruption ] PDVSA confirmed a cyberattack impacted its administrative system and publicly blamed the United States, though outside experts had not substantiated that attribution. Reporting cited by the outlet said the incident was more damaging than PDVSA described, with the company website down and oil cargo deliveries suspended; company sources characterized it as a ransomware attack and described systems being down and deliveries halted for days.

Raaga December 15, 2025 • [ data leak ] In December 2025, data allegedly breached from the Indian streaming music service "Raaga" was posted for sale to a popular hacking forum. The data contained 10M unique email addresses along with names, genders, ages (in some cases, full date of birth), postcodes and passwords stored as unsalted MD5 hashes.

SoundCloud December 15, 2025 • [ data leak, extortion ] In December 2025, SoundCloud announced it had discovered unauthorised activity on its platform. The incident allowed an attacker to map publicly available SoundCloud profile data to email addresses for approximately 20% of its users. The impacted data included 30M unique email addresses, names, usernames, avatars, follower and following counts and, in some cases, the users country. The attackers later attempted to extort SoundCloud before publicly releasing the data the following month.

Lena Health December 15, 2025 • [ data leak, healthcare, insecure server ] AI digital helper Lena Health breach allegedly exposed sensitive Houston Methodist patient data on a dark web forum; access claimed via insecure server.

Pell City School System December 15, 2025 • [ ransomware, security incident, data leak ] Pell City School System reported that some of its technology systems were affected by a security incident. The superintendent told families that the student information system was not affected, but that a third party copied some files. The district said it was working to resolve the incident and restore services and stated it would not pay. A separate report stated that the SafePay ransomware group claimed responsibility in December 2025, but the school district had not publicly verified the claim or provided details about exactly what data was taken or how systems were accessed at the time of reporting.

Raaga December 15, 2025 • [ data leak, unauthorized access, credential stuffing ] Raaga confirmed that an unauthorized party accessed a legacy database and that the extracted user data was later advertised for sale on an underground hacking forum during December 2025. Reporting described the exposed dataset as affecting more than 10.2 million user accounts and including personal and account-related fields such as names, email addresses, usernames, hashed passwords, and account creation dates, with partial location data in some cases. The company stated it secured the relevant access points tied to the exposed system, reset passwords for impacted accounts, and implemented additional monitoring while working with cybersecurity specialists and notifying law enforcement. Even without payment data, the combination of emails and password hashes creates elevated risk of credential stuffing, targeted phishing, and account takeover.

Danish Booksellers' Commission Foundation December 15, 2025 • [ ransomware, data leak, IT disruption ] A Danish business foundation that distributes books to many bookstores reported being hit by ransomware during the busy Christmas period. The incident disrupted IT operations and prompted an investigation. The organization warned that attackers may have accessed internal files, including employee salary information and other personal data related to staff and potentially customers and former employees. Details on the initial access vector, the ransomware strain, and the total number of impacted individuals were not publicly provided.

Mazda Motor Corporation December 15, 2025 • [ cyberattack, unauthorized access, data leak ] SecurityWeek reported Mazda disclosed a mid-December cyberattack involving unauthorized access to a management system used for warehouse operations involving parts procured from Thailand. Mazda said 692 records tied to employees of Mazda and its group companies and business partners were compromised. Exposed data included company-issued user IDs, names, email addresses, company names, and business partner IDs. Mazda stated no customer data was affected because it is not stored in the compromised system and said attackers exploited security defects in the application, without naming the software or vulnerabilities.

Stockton Cardiology Medical Group December 15, 2025 • [ unauthorized access, data leak, extortion ] Stockton Cardiology Medical Group disclosed that an unauthorized individual accessed and removed files from its systems in December 2025, and some of the files were later publicly disclosed; outside reporting tied the incident to a Genesis extortion claim.

DXS International December 14, 2025 • [ ransomware, data leak ] DXS International disclosed a cyberattack affecting its office servers that it said was discovered on December 14, 2025 and immediately contained in cooperation with NHS England. The company reported minimal impact on services and said front-line clinical services were unaffected. The specific nature of the breach and whether patient medical information was stolen was not confirmed in the report; however, a ransomware group calling itself DevMan claimed credit and alleged theft of 300 GB of data. Regulators and law enforcement were notified and an external cybersecurity firm was engaged to investigate the scope and extent of unauthorized access.

Recent Breaches