StarHub
February 10, 2026
•[ cyber espionage, state-sponsored, data exfiltration ]
Singapore confirmed that China-linked cyber espionage group UNC3886 targeted the countrys telecom infrastructure, including StarHub. The government said attackers gained limited access to parts of telecom systems, did not disrupt services, and did not access personal data, but did exfiltrate a small amount of technical (network-related) data to advance operational objectives.
Multiple organizations with exposed MongoDB databases
January 30, 2026
•[ MongoDB, data breach, ransomware ]
A threat actor actively accessed, queried, and ransacked more than 1400 publicly exposed MongoDB application servers, exfiltrating data and leaving ransom notes demanding payment in exchange for deletion or non-disclosure of the stolen information.
McDonald's India
January 20, 2026
•[ ransomware, data leak, data exfiltration ]
HackRead reported that on January 20, 2026 the Everest ransomware group claimed it breached McDonalds India and exfiltrated 861 GB of customer data and internal documents. The report described screenshots purportedly showing internal financial reports (20232026), audit trails, cost tracking, ERP migration files, pricing data, and other internal communications, as well as a Contact Database spreadsheet with investor/business-partner contact details and store-level manager contact information. Everest reportedly issued a short deadline and threatened to leak data; the article noted the claim was unverified at the time.
At least one Afghan government worker
January 20, 2026
•[ phishing, malware, data exfiltration ]
The Record reported that attackers targeted Afghan government workers with phishing emails disguised as official correspondence from the office of the countrys prime minister. Researchers said the campaign, first detected in December, used a decoy document resembling a government letter (including a forged signature) to entice recipients in ministries/administrative offices to open it. Once opened, the document delivered malware dubbed FalseCub, designed to collect and exfiltrate data from infected computers. The report is focused on the campaign and malware behavior; it does not list specific compromised agencies, confirmed infection counts, or stolen data volumes, so impacts are coded as undetermined.
Kyowon Group
January 14, 2026
•[ ransomware, service outage, data exfiltration ]
Kyowon Group, a large South Korean conglomerate with major education/publishing and digital services operations, confirmed a ransomware incident after initially describing a suspected attack that caused service outages. In a follow-up update, the company stated the incident occurred in January around 10 a.m. and that an attacker exfiltrated data from its systems. Reporting cited Korean media indicating the event may have impacted a substantial portion of Kyowons infrastructure (roughly 600 of 800 servers) and that there are millions of registered accounts, though Kyowon said it was still determining whether stolen data included customer information. The company said it notified relevant authorities (including KISA), engaged security experts, and worked to restore services while conducting a detailed investigation into scope and data exposure.
Endesa
January 13, 2026
•[ data breach, unauthorized access, data exfiltration ]
SecurityWeek reported that Spanish energy company Endesa notified customers about a data breach involving unauthorized access to its commercial platform, also impacting customers of its gas distributor Energia XXI. Endesa stated that attackers accessed and likely exfiltrated basic customer identification information, contact details, national identification numbers (DNI), contract information, and payment details including IBANs. The company said passwords were not compromised and that the incident was contained quickly, with additional safeguards implemented and notifications sent to affected customers.
Undisclosed Taiwanese healthcare organization #5
January 12, 2026
•[ ransomware, cyber intrusion, data exfiltration ]
The CrazyHunter ransomware group conducted a cyber intrusion against a healthcare organization in Taiwan by exploiting application-layer access, resulting in unauthorized access and data exfiltration. Security reporting confirms the victim as one of multiple Taiwanese healthcare entities affected, though specific organizational details were not publicly disclosed.
Langley Twigg Law
January 11, 2026
•[ cyberattack, data breach, malware ]
Langley Twigg Law (Napier, New Zealand) stated it was hit by a cyberattack on January 11, 2026. The firm said digital forensics and cyber specialists confirmed a malicious third-party launched a virus on its IT network, which was not protected by its cybersecurity software at the time. The firm reported the attacker extracted a portion of data from its file server containing internal operational information and some client documents. Langley Twigg said it disconnected its network from the internet, notified the Privacy Commissioner and police, and was working to determine exactly what information was affected before contacting impacted clients.
American Vanguard
January 10, 2026
•[ data leak, data exfiltration, unauthorized access ]
The Osiris threat group gained unauthorized access to American Vanguard systems in early January 2026 and exfiltrated corporate and financial data. Security reporting and attacker leak listings indicate data theft, though no explicit confirmation of file encryption was reported. Operational impacts appear linked to incident response and remediation activities.
UrbanX.io
January 6, 2026
•[ data leak, initial access broker, information-stealer malware ]
SecurityWeek reported that Hudson Rock linked dozens of major breaches to a single initial access broker operating under the aliases Zestix and Sentap. The actor is described as using credentials harvested via information-stealer malware (including RedLine, Lumma, and Vidar) from infected employee devices to log into enterprise file-transfer/file-sharing environments such as ShareFile, OwnCloud, and Nextcloud when MFA was missing. After gaining access, the actor allegedly exfiltrated sensitive corporate data and monetized it by selling datasets or access on closed Russian-language forums, with victim organizations spanning sectors such as aerospace, government infrastructure, legal services, and robotics.
National Credit Regulator (NCR)
December 12, 2025
•[ cyberattack, ransomware, data exfiltration ]
The South African National Credit Regulator confirmed it was the victim of a cyberattack in December 2025 that disrupted some of its systems. A ransomware group known as DragonForce claimed responsibility and alleged the exfiltration and publication of alleged 42 GB of data, but the regulator stated investigations were ongoing and has not confirmed data exfiltration, encryption, or the attackers identity.
Center for Life Resources
November 14, 2025
•[ unauthorized access, network intrusion, data breach ]
Center for Life Resources identified unauthorized access to its network in mid-November 2025 and determined that files containing sensitive personal and protected health information may have been accessed or copied, which was later disclosed in regulatory notifications.
Georgia Superior Court Clerks’ Cooperative Authority
November 8, 2025
•[ ransomware, data exfiltration, cyber threat ]
The Devman ransomware group attacked the Georgia Superior Court Clerks Cooperative Authority beginning November 8, 2025. GSCCCA voluntarily restricted access to its systems while investigating a credible cyber threat. Devman claimed to have exfiltrated 500 GB of organizational data from GSCCCAs application servers and demanded a $400,000 ransom by November 27.
At least one Belgian diplomat
October 31, 2025
•[ cyber-espionage, spear-phishing, vulnerability ]
Arctic Wolf Labs and other researchers detailed a Chinese state-aligned cyber-espionage campaign in which UNC6384 targeted European diplomatic entities, notably in Hungary and Belgium, between September and October 2025. The group sent spear-phishing emails referencing real EU and NATO events that carried malicious Windows shortcut (.LNK) files exploiting the ZDI-CAN-25373 (CVE-2025-9491) vulnerability to execute obfuscated PowerShell, unpack a signed Canon utility and side-load a PlugX remote access trojan. The resulting implants, communicating over HTTPS to attacker-controlled domains, provide long-term access for reconnaissance, keylogging, command execution and collection of sensitive diplomatic documents and credentials aligned with PRC strategic intelligence priorities.
FullBeauty Brands, Inc.
October 18, 2025
•[ ransomware, data leak, unauthorized access ]
Unauthorized actors accessed FullBeauty Brands systems over several weeks in late 2025 and exfiltrated internal company data, later claimed by the Everest ransomware group, with no confirmed operational disruption publicly disclosed.
Arizona Federal Public Defender’s Office
September 24, 2025
•[ ransomware, data exfiltration, backup deletion ]
Ransomware detected Sept 24 2025 crippled Arizonas Federal Public Defender Office, encrypting decades of case files and deleting backups. Investigators suspectbut have not confirmeddata exfiltration. No threat group has claimed responsibility.
Undisclosed Southeast Asian conglomerate
July 1, 2025
•[ intrusion, data exfiltration, corporate data ]
The Osiris threat group conducted a prolonged intrusion against an undisclosed Southeast Asian conglomerate beginning in mid-2025, resulting in the exfiltration of large volumes of sensitive corporate and financial data. The incident is documented through security research and attacker leak site claims, without confirmation of ransomware encryption.
Undisclosed Ukrainian critical infrastructure organization
April 1, 2025
•[ malware, data exfiltration, wiper ]
The FSBs 18th Center for Information Security (Gamaredon) deployed PathWiper malware against an undisclosed Ukrainian critical-infrastructure operator in early April 2025, exfiltrating large volumes of operational data before executing a destructive wiper that caused temporary service degradation.
Sam’s Club
March 28, 2025
•[ ransomware, data leak, cybersecurity investigation ]
Sams Club, a U.S. warehouse retail chain owned by Walmart Inc., is investigating claims by the ransomware group Clop that it breached the companys systems. Clop added Sams Club to its dark-web leak site but so far has not provided any proof of data exfiltration. Sams Club acknowledged awareness of the potential incident and emphasized protecting member information is a priority while its internal investigation continues.
