Portend Breaches

Czech Public Procurement Portal January 19, 2026 • [ DDoS attack, service disruption, cyberattack ] Czech authorities reported that the countrys public procurement portal was taken out of service by hackers on Monday, January 19, 2026, in an incident described as a DDoS attack. The Ministry for Regional Development stated the portal was brought back online later that same day and the situation continued to be assessed. Officials emphasized that actual public procurement submissions are handled in a separate system that remained functional, limiting downstream operational disruption primarily to portal availability and access to related information services rather than halting procurement processes entirely.

Hyatt January 19, 2026 • [ ransomware, data leak, double-extortion ] A ransomware group calling itself NightSpire publicly claimed on January 19, 2026 that it attacked Hyatt and exfiltrated 48.5GB of data originating from the Hyatt Place Chelsea New York hotel. The actors published samples that appeared to include internal company documents such as invoices, expense reports containing employee names, contact information, signatures, and partner company data, and researchers noted the sample list suggested possible exposure of employee credentials for internal tools (raising risk of further compromise). The posting indicated a free download link, consistent with double-extortion tactics where stolen data is leaked if negotiations fail. At the time of reporting, Hyatt had not publicly confirmed the breach and the claims remained unverified by the company.

public.lu January 19, 2026 • [ DDoS attack, denial-of-service, service disruption ] Luxembourgs state web domain public.lu experienced a DDoS attack that made several government websites unreachable for roughly forty minutes in the morning (approximately 7:588:39). The national IT center (CTIE) confirmed the incident and stated the disruption was a traffic-flooding denial-of-service event rather than an attempt to expose sensitive data. Impacted sites reported included guichet.lu, Legalux, and CTIEs own web presence; services later returned to normal.

At least one US government official January 19, 2026 • [ spearphishing, espionage, DLL sideloading ] HackRead summarized Acronis research describing an espionage-oriented spearphishing campaign targeting U.S. government entities using Venezuela-related news as bait. The described chain used a lure archive and DLL sideloading to load a backdoor dubbed LOTUSLITE, enabling remote access actions such as file collection and command execution on compromised systems. The article stated the researchers attributed the activity with moderate confidence to the China-backed group Mustang Panda (aka HoneyMyte).

Zendesk January 18, 2026 • [ spam campaign, email abuse, unsolicited messaging ] A large-scale spam campaign abused Zendesks support-ticket functionality, where unverified users can submit tickets that trigger automatic confirmation emails to the address provided. Beginning around January 18, 2026, recipients worldwide reported receiving hundreds of emails with unusual or alarming subject lines, generating confusion and disruption. The reports indicated that attackers were leveraging support platforms run by companies that use Zendesk for customer service; the immediate impact was mass unsolicited messaging rather than confirmed data theft.

Badr satellite January 18, 2026 • [ broadcast hijacking, hacktivism, signal interference ] The Record reported that several Iranian state television channels were briefly hijacked on Sunday (January 18, 2026), interrupting programming to air protest footage and anti-regime messages, including content associated with an exiled opposition figure. The affected channels were transmitted via the Badr satellite used to deliver provincial stations nationwide. Social media clips showed messages urging continued protests alongside solidarity footage. The incident appears to be a short-lived disruption to broadcast integrity/availability rather than a data theft event; the report did not confirm compromise of internal newsroom systems or theft of customer/employee data.

French national bank accounts database (FICOBA) / Ministry of Economy and Finance January 18, 2026 • [ data leak, stolen credentials, unauthorized access ] Frances Ministry of Economy and Finance stated that part of the national database listing bank accounts in France was illegally accessed, exposing information linked to about 1.2 million accounts. The ministry said that starting in late January 2026, a malicious actor used stolen credentials belonging to an official to access part of the database. The exposed data includes bank details (RIB/IBAN), identity and address of the account holder, and in some cases a tax identification number. Authorities said they restricted access, stopped the intrusion, and notified banks to warn customers to be vigilant.

An undislosed organization January 16, 2026 • [ vulnerability exploitation, command-and-control, persistence ] BleepingComputer reported that threat actors exploited critical SolarWinds Web Help Desk (WHD) vulnerabilities (including CVE-2025-40551 and CVE-2025-26399) in a campaign believed to have started around January 16, 2026, targeting at least three organizations. Attackers used the access to deploy legitimate tools (Zoho ManageEngine Assist, Cloudflare tunnels, Velociraptor) for persistence and command-and-control.

Daniel L Kaler DDS PC January 15, 2026 • [ data leak, unauthorized access, medical information ] Attackers gained unauthorized access to systems at a Dakota Dunes dental practice and exfiltrated patient records from its databases. The breach exposed personal, medical, and financial information belonging to approximately 27000 individuals.

Kyowon Group January 14, 2026 • [ ransomware, service outage, data exfiltration ] Kyowon Group, a large South Korean conglomerate with major education/publishing and digital services operations, confirmed a ransomware incident after initially describing a suspected attack that caused service outages. In a follow-up update, the company stated the incident occurred in January around 10 a.m. and that an attacker exfiltrated data from its systems. Reporting cited Korean media indicating the event may have impacted a substantial portion of Kyowons infrastructure (roughly 600 of 800 servers) and that there are millions of registered accounts, though Kyowon said it was still determining whether stolen data included customer information. The company said it notified relevant authorities (including KISA), engaged security experts, and worked to restore services while conducting a detailed investigation into scope and data exposure.

Victorian Government Schools January 14, 2026 • [ unauthorized access, data breach, student information ] The Department of Education in Victoria, Australia notified parents that an unauthorized third party accessed a database holding student account information. According to disclosure reporting, attackers accessed current and former students personal and school-related fields including names, school names, year levels, school-issued email addresses, and encrypted passwords associated with those accounts. The department stated that more sensitive details such as birth dates, home addresses, and phone numbers were not exposed. Authorities and cyber experts were involved, and the department reset student passwords as a precaution, temporarily restricting access until new credentials were issued. At the time of reporting, investigators had not found evidence that the accessed data had been publicly released or shared onward.

Choice Hotels International January 14, 2026 • [ social engineering, unauthorized access, PII leak ] An unauthorized person used social engineering to gain access to a Choice Hotels application containing records on franchisees and franchise applicants, exposing names and Social Security numbers.

At least one organization in North America January 13, 2026 • [ SEO poisoning, backdoored installers, vulnerabilities ] It summarizes NCC Group findings about activity linked to a threat group called Silver Fox (including SEO poisoning used to distribute backdoored installers for widely used software and infections observed dating back to July 2025) and separately describes four vulnerabilities in the Johnson Controls PowerG building security radio protocol that could enable interception, impersonation, message replay, and broader compromise within radio range if unpatched or poorly mitigated.

Town of La Hague January 13, 2026 • [ intrusion, email compromise, unauthorized access ] The municipality of La Hague (France) announced it was the victim of an intrusion into its information system that impacted internal email accounts. Upon learning of the incident, the commune reported immediate actions including changing passwords for affected and administrator accounts, temporarily suspending email sending for impacted users, notifying relevant authorities (including ANSSI, CERT-FR, DINUM, CNIL, and local digital authorities), informing partners, and filing a formal complaint with the gendarmerie. Specialized law enforcement units began investigating the incident and its consequences while technical teams and service providers conducted parallel analysis. The announcement emphasized heightened vigilance against suspicious links/attachments and stated the municipality was working to restore system security.

AZ Monica January 13, 2026 • [ cyberattack, operational disruption, healthcare ] AZ Monica hospital in Antwerp reported a cyberattack discovered around 6:30 a.m. after staff observed a serious IT failure. As a precaution, the hospital shut down all servers across both campuses (Deurne and Antwerp/Harmonie), and law enforcement opened an investigation with the cyber crime unit on site. Because clinicians could not access electronic patient records, the hospital postponed non-urgent care and maintained emergency care at a reduced level. Reporting stated at least 70 planned operations were cancelled, roughly 70 patients were sent home, and seven patients were transferred to other hospitals as a precaution. Public reporting did not confirm encryption, ransom demands, or data theft, focusing primarily on operational disruption and patient-care impact.

ICE List site January 13, 2026 • [ denial-of-service attack, data leak, personal information ] A website known as ICE List, operated by Netherlands-based immigration activist Dominick Skinner and described as dedicated to leaking personal information about U.S. immigration and border personnel, went offline following a denial-of-service attack on the evening of January 13, 2026. Reporting said the outage occurred shortly after media coverage that Skinner planned to publish additional personal data allegedly obtained from a whistleblower. Skinner stated it was only possible to speculate on who directed the attack but claimed a large amount of traffic appeared to come from Russia, consistent with bot traffic intended to overwhelm the site and disrupt access.

Armenian Government January 13, 2026 • [ Data Leak, Cybercrime, Alleged Breach ] Reporting stated that a forum user using the alias dk0m offered for sale what was described as a large dataset of Armenian government-related data, allegedly obtained by accessing a government notification system used to distribute official communications (legal and administrative notices). The seller advertised the dataset for $2,500 and claimed it contained about 8 million records related to official notifications, including communications involving police and judicial bodies. Armenian officials opened an investigation, while a government-linked communications body publicly denied that government email infrastructure was breached and suggested any access may have involved another state platform. Because the incident is described as an allegation under investigation without independent confirmation of access or data theft, it is recorded as an alleged event rather than a confirmed cyberattack.

Endesa January 13, 2026 • [ data breach, unauthorized access, data exfiltration ] SecurityWeek reported that Spanish energy company Endesa notified customers about a data breach involving unauthorized access to its commercial platform, also impacting customers of its gas distributor Energia XXI. Endesa stated that attackers accessed and likely exfiltrated basic customer identification information, contact details, national identification numbers (DNI), contract information, and payment details including IBANs. The company said passwords were not compromised and that the incident was contained quickly, with additional safeguards implemented and notifications sent to affected customers.

Medical Practice of Dr. Richard Swift January 12, 2026 • [ malware, cyberattack, data leak ] DataBreaches reported on a class action lawsuit alleging that a Manhattan plastic surgery practice run by Dr. Richard Swift was compromised by a malware-related cyberattack in 2025 and that sensitive patient information was posted online. The suit alleged that a site hosted outside the U.S. displayed personal identifiers and medical record details for at least 22 patients, and that affected patients only learned about the breach after attackers contacted them directly. DataBreaches noted the same threat actors were linked to attacks on other plastic surgery practices and described a recurring pattern where attackers approached patients with demands in exchange for removing posted information. Public reporting did not confirm whether the practice paid, and the article noted the leak site later appeared offline.

At least one organization in Mexico January 12, 2026 • [ data leak, leak portals, cybercrime ] During 2025, the data of 74 Mexican organizations was exposed on leak portals used by criminal groups, a figure that doubles the 37 cases registered in 2024

Recent Breaches