Portend Breaches

Israeli surveillance cameras March 10, 2026 • [ espionage, security cameras, password security ] Israels National Cyber Directorate stated it had identified dozens of Iranian breaches into security cameras for espionage purposes since the start of the regional war. The directorate said it was alerting hundreds of camera owners and urged the public to change passwords and update software to reduce both national and personal security risk.

Slavia Insurance March 10, 2026 • [ data breach, medical records, vendor error ] Czech insurer Slavia pojiovna reported that attackers obtained about 150 GB of sensitive data, including insurance documents, medical records, and direct communications with clients. The companys spokesperson attributed the incident to an error by a supplier/vendor and said the issue was detected by Slavias security systems and remediation steps were underway to prevent recurrence. Public reporting did not identify the attacker or provide counts of affected clients, but indicated the stolen data types are sensitive and could enable fraud or targeted extortion/phishing.

At least one Dutch government official March 9, 2026 • [ social engineering, phishing, state-sponsored hackers ] Dutch intelligence services warned that Russian state hackers are attempting to gain access to large numbers of Signal and WhatsApp accounts belonging to senior officials, military personnel, and civil servants worldwide. The campaign uses social engineering to trick users into revealing verification and PIN codes, including posing as a Signal support chatbot. The report notes Dutch government employees have also been targeted and, in some cases, compromised. This is campaign/advisory reporting rather than a single discrete victim event.

The City of Arab March 9, 2026 • [ phishing, BEC, social engineering ] GovTech reported that the City of Arab, Alabama was hit by a socially engineered phishing/BEC-style fraud in which perpetrators impersonated a legitimate officer of the contractor (FITE Construction) and induced the city to issue a fraudulent payment of $432,739.21 to an unauthorized entity. City leaders stated the fraud was detected internally and triggered a broader investigation. The report focuses on financial loss via social engineering rather than system disruption or data theft.

Perm parking payment system March 9, 2026 • [ DDoS attack, service disruption, cyberattack ] The Record reported that the Russian city of Perm restored its parking payment system after a cyberattack the prior week knocked the service offline for several days, temporarily making parking free. Local officials said the disruption was caused by a large-scale DDoS attack that overwhelmed the citys automated parking payment infrastructure. No data theft was described; the primary effect was service availability disruption.

Undisclosed cryptocurrency organization March 9, 2026 • [ cryptocurrency, social engineering, cloud compromise ] The Hacker News reported (citing Google Cloud) that North Korea-linked UNC4899 conducted a sophisticated 2025 cloud compromise targeting an unnamed cryptocurrency organization, stealing millions in cryptocurrency. The intrusion began with social engineering that tricked a developer into downloading a malicious archive for a supposed open-source collaboration; the developer then transferred the file to a work device via AirDrop. After malicious Python code executed and a binary masquerading as kubectl ran, the attackers pivoted into the cloud environment and abused legitimate DevOps workflows to harvest credentials, escape container confines, and tamper with Cloud SQL databases to modify financial logic enabling theft. This is coded as a confirmed successful intrusion with financial theft.

Westfield Mall of the Netherlands March 9, 2026 • [ phishing, data leak, PII ] Westfield Mall of the Netherlands informed customers that unauthorized persons accessed a database containing information for newsletter subscribers and Westfield Club loyalty program members. Reported exposed fields include first and last name, email address, telephone number, postal code, and date of birth. The mall said no financial data was compromised because bank account numbers, credit card details, and passwords were not stored in the affected database. The mall warned of phishing risk, reported the incident to data protection authorities, and URW filed a complaint with competent authorities.

JBS Brasil March 9, 2026 • [ ransomware, data leak, corporate data ] A ransomware group calling itself Coinbasecartel claimed it breached JBS Brasil and obtained approximately 3 TB of corporate data. The report noted the actor did not provide verifiable samples or clear technical indicators supporting the claim, and did not describe the specific file types or whether encryption/disruption occurred.

Community College of Beaver County March 9, 2026 • [ ransomware, cryptolocker, extortion ] Community College of Beaver County said it was under an encryption-based cryptolocker attack that forced a lockdown of college IT resources, and later outside reporting tied the incident to an Interlock extortion claim alleging theft of 780 GB of data.

Baydöner March 8, 2026 • [ data breach, data leak, plaintext passwords ] In March 2026, the Turkish restaurant chain Baydner suffered a data breach which was subsequently published to a public hacking forum. The incident exposed over 1.2M unique email addresses along with names, phone numbers, cities of residence and plaintext passwords. A small number of records also included Turkish national ID number and date of birth. In their disclosure notice, Baydner stated that payment and financial data was not affected.

The Independent Public Regional Hospital March 7, 2026 • [ cyberattack, ransomware, data encryption ] A cyberattack hit the Independent Public Regional Hospital in Szczecin, Poland, overnight on 03/0703/08/2026, forcing staff to revert to paper-based operations. Hospital authorities said the attack encrypted parts of hospital data and blocked access to critical digital records, temporarily disrupting digital operations. Officials stated urgent treatments and admissions continued, but administrative processes were slower while IT teams worked to restore system access.

Elecq March 7, 2026 • [ ransomware, data breach, cloud security ] Fleet World reported that EV charging solutions provider Elecq suffered a ransomware attack on its AWS cloud platform discovered on March 7, 2026 after unusual activity. A notice to customers said compromised information included customer names, email addresses, phone numbers, home addresses, and location data. The company stated that no payment/financial information was accessed and that the physical charging devices were not affected and remained secure and operational.

Aura March 6, 2026 • [ data leak, PII exposure, marketing tool breach ] In March 2026, the online safety service Aura disclosed a data breach that exposed 900k unique email addresses. The data was primarily associated with a marketing tool from a previously acquired company, with fewer than 20k active Aura customers affected. Exposed data included names, phone numbers, physical and IP addresses, and customer service notes. Aura advised that no Social Security numbers, passwords or financial information were compromised.

FBI surveillance system March 6, 2026 • [ data breach, surveillance system, law enforcement sensitive information ] Reporting stated the White House was working with the FBI, NSA, and CISA to respond to an apparent breach of an FBI surveillance system disclosed to Congress. The system is unclassified but contains law-enforcement sensitive information, including returns from legal process such as pen register and trap-and-trace surveillance returns, and personally identifiable information about subjects of FBI investigations. The report did not identify the attacker, intrusion vector, or the full scope/timeline of access.

Undisclosed U.S. aerospace and defense firm March 6, 2026 • [ backdoor, data exfiltration, nation-state actor ] SecurityWeek summarized Broadcom Symantec/Carbon Black reporting that Iran-linked MuddyWater (also known as Seedworm/Mango Sandstorm and linked to Irans MOIS) had established presence in multiple organizations networks, including a US airport, a US bank, an NGO operating in the US and Canada, an aerospace and defense contractor, and a software company with a presence in Israel. The report said MuddyWater deployed a new backdoor called Dindoor in several environments and a Python backdoor called Fakeset in others, and attempted to exfiltrate data from the software companys Israeli branch.

Undisclosed telecom company in South America March 6, 2026 • [ cyberespionage, threat cluster, malware ] Cisco Talos reported a China-linked threat cluster tracked as UAT-9244 has targeted telecommunications infrastructure in South America since 2024, using multiple implants across Windows, Linux, and edge devices. The toolset described includes TernDoor (Windows), PeerTime (Linux), and BruteEntry (edge devices used for mass scanning and brute forcing services like SSH, Postgres, and Tomcat). The report describes tradecraft and malware but does not identify a single named victim organization or a bounded primary-effect incident suitable for a discrete event record.

Orthopaedic Institute of Western Kentucky March 6, 2026 • [ data breach, third-party vendor, medical records ] Orthopaedic Institute of Western Kentucky disclosed a patient data breach tied to two separate security incidents at its third-party vendor Keystone Technologies. Reporting stated one incident occurred in April 2025 and another occurred between July and August 1, 2025, and that in both cases unauthorized parties accessed files containing patient information. The disclosure indicated the potentially exposed data could include medical records, Social Security numbers, and addresses. No threat actor attribution, precise access method, or affected-patient count was provided in the brief report.

Wikimedia Foundation March 5, 2026 • [ JavaScript worm, script injection, vandalism ] A self-propagating JavaScript worm modified user scripts and vandalized Meta-Wiki pages, triggering automated edits that injected hidden scripts and disruptive content. Wikimedia engineers temporarily restricted editing across projects during investigation and cleanup, then reverted malicious changes and restored editing. Reporting indicated nearly 4,000 pages were modified and about 85 users had their common.js files replaced during the incident.

Soreco March 5, 2026 • [ ransomware, data theft, extortion ] Swiss business software provider Soreco confirmed it was hit by a ransomware attack. The Bravox group claimed responsibility on its leak site and asserted it stole roughly 118.2 GB of Soreco data while attempting to extort the company. Soreco told media that operational impact was minimal and that it did not intend to pay the ransom. Public reporting did not specify the intrusion vector, affected systems, or whether any data was published at the time of reporting.

Woflow March 5, 2026 • [ supply-chain risk, extortion, data leak ] ShinyHunters claimed it compromised Woflow, an AI-driven merchant data platform, in what was described as a supply-chain risk for major clients. The group threatened to leak data by March 6, 2026 if demands were not met, and claimed it stole internal corporate information, personally identifiable information, and transaction/order details. Reporting noted the group did not provide a verifiable public data sample and Woflow did not provide a public response at the time, so the incident remains an alleged breach based on the extortion claim.

Recent Breaches