Tri-City Cardiology Consultants (Phoenix, AZ)
April 6, 2025
•[ data leak ]
22,753 patients notified after an unauthorized third party attempted to infiltrate the network around Apr 6; PHI may have been accessed/obtained; notifications sent in May.
HighWire Press Inc.
April 5, 2025
•[ infostealer, data leak ]
On April 5 2025, Hellcat claimed access to HighWire Press systems using credentials harvested by an infostealer. Data exfiltration was listed on the Hellcat leak site. No encryption or operational disruption has been confirmed.
LeoVegas Group
April 5, 2025
•[ data leak, infostealer, compromised credentials ]
On April 5 2025, Hellcat listed LeoVegas Group on its leak site, claiming exfiltration of internal data through compromised Jira credentials obtained from an infostealer. Hudson Rock verified the inclusion of LeoVegas in the same credential set. No encryption confirmed.
Asseco Poland S.A.
April 5, 2025
•[ data leak, infostealer ]
On April 5 2025, Hellcat listed Asseco Poland on its leak site, claiming data exfiltration using Jira credentials stolen through an infostealer. Hudson Rocks analysis confirmed separate credential sets and data exfiltration from Assecos Jira environment. No encryption was reported or confirmed.
Racami LLC
April 5, 2025
•[ data leak, stolen credentials, infostealer ]
On April 5 2025, Hellcat listed Racami on its leak site, stating it had accessed and exfiltrated internal Jira project data using stolen credentials gathered through an infostealer campaign. No encryption or operational disruption was reported.
Ukrainian government and military entities
April 1, 2025
•[ malware, data leak, espionage ]
Russian FSB 18th Center for Information Security (Gamaredon) deployed updated GammaSteel malware to exfiltrate sensitive data from Ukrainian government and defense networks in an ongoing espionage campaign; no operational disruption reported.
Insignia Financial
April 1, 2025
•[ credential stuffing, data leak ]
Insignia Financial confirmed attempts to access customer portals using stolen credentials during April 2025 campaign; extent of compromise under investigation.
Multiple e-commerce stores using Magento extensions
April 1, 2025
•[ supply-chain attack, malware, webshell ]
Supply-chain compromise of 21 Magento extensions backdoored since 2019, activated in April 2025; between 5001,000 e-stores impacted; at least one webshell observed.
Oregon Department of Environmental Quality (DEQ)
April 1, 2025
•[ ransomware, data leak ]
On April 1 2025, the Oregon Department of Environmental Quality experienced a ransomware attack attributed to the Rhysida group. The incident encrypted internal servers and disabled key systems, including statewide vehicle inspection services, email, web portals, and internal databases. Rhysida claimed to have exfiltrated over 1 million files and demanded a $2.5 million ransom, though DEQ has not confirmed data theft.
Australian Retirement Trust
April 1, 2025
•[ data leak ]
Cyber criminals used stolen credentials to access ART member accounts during coordinated attacks on Australias pension funds; no confirmed financial loss.
DuPage County Government (Justice Systems)
April 1, 2025
•[ ransomware, data leak ]
Cyberattack on DuPage County, Illinois in early April 2025 encrypted servers supporting court, probation, and clerk operations, forcing justice-system portals offline for several days. Officials confirmed encryption but found no evidence of data theft or leak as of April 10 2025.
Pillsbury Winthrop Shaw Pittman LLP
April 1, 2025
•[ social engineering, data leak, personally identifiable information ]
Global law firm Pillsbury Winthrop Shaw Pittman reported that in April 2025 a sophisticated social-engineering attack allowed an intruder to gain limited access to its internal systems. The attacker convinced a single user to grant access and then rapidly downloaded a set of documents containing sensitive personal information, including names, Social Security numbers, addresses, birthdates, and some financial account details for thousands of people. Pillsbury stated that the activity was quickly detected and blocked, and it subsequently bolstered its security controls and notified affected individuals, with public disclosure occurring on November 6, 2025. The breach has since led to class-action litigation alleging inadequate safeguards and delayed notification.
Atlas CPAs & Advisors
March 31, 2025
•[ data leak ]
Accounting firm mailed breach letters beginning March twentieth to impacted individuals.
ImagineX Management Company Limited
March 31, 2025
•[ data leak, misconfiguration, outdated systems ]
A breach at the Hong Kong brand-management firm ImagineX Management Company Limited led to the exposure of nearly 128,000 individuals personal data after attackers exploited an unused temporary user account and gained access to the company intranet, with the root cause attributed to outdated operating systems and delayed deletion of temporary accounts
Samsung Germany
March 31, 2025
•[ data leak, compromised credentials ]
Threat Actor Published Samsung Germany Customer Ticket Records Using Long-Compromised Credentials.
Europcar Mobility Group
March 30, 2025
•[ data leak ]
Europcar Mobility Group confirmed that an unauthorized actor accessed its GitLab server, exposing internal repositories, configuration files, and database backups containing up to 200 000 customer records. The leaked material included mobile-app source code, environment (.env) files, and SQL backups totaling about 37 GB. No evidence of encryption or operational disruption was reported. Europcar disabled the compromised instance and began an internal investigation.
Deutsche Gesellschaft für Osteuropakunde (DGO)
March 30, 2025
•[ espionage, data leak, state-sponsored attack ]
In late March 2025, German officials reported a cyber-espionage incident targeting the Deutsche Gesellschaft fr Osteuropakunde (DGO), a nonprofit academic association focused on Eastern Europe. Investigators attributed the intrusion to Russias Foreign Intelligence Service (SVR), also known as Midnight Blizzard, APT29, or NOBELIUM. Attackers accessed email servers and internal communications for intelligence-gathering purposes. No data encryption or operational disruption was reported, indicating a stealthy exploitation of application servers.
Royal Mail Group
March 29, 2025
•[ data leak ]
British postal operator Royal Mail suffered a data leak via its supplier Spectos GmbH. A threat actor claimed to have stolen ~144 GB of data, including personal customer information and internal business documents. Royal Mail confirmed the supplier breach but stated operations were unaffected.
myCicero
March 29, 2025
•[ data leak ]
Italian reporting stated that unknown cybercriminals attacked myCiceros systems between March 2930, 2025 and exfiltrated data from servers used to support transport-ticketing apps, including the UnicoCampania service. According to the article, stolen information included users personal/contact details, usernames and passwords, and information about purchased mobility tickets (type, validity, fare zone, and amounts paid). The report stated that payment card data were not stolen because those data were not hosted on myCicero systems, and it warned that even if passwords were stored encrypted, attackers might attempt to crack them depending on password strength.
Sam’s Club
March 28, 2025
•[ ransomware, data leak ]
Sams Club, a U.S. warehouse retail chain owned by Walmart Inc., is investigating claims by the ransomware group Clop that it breached the companys systems. Clop added Sams Club to its dark-web leak site but so far has not provided any proof of data exfiltration. Sams Club acknowledged awareness of the potential incident and emphasized protecting member information is a priority while its internal investigation continues.
