Goldman Sachs (via Fried Frank Harris Shriver & Jacobson LLP)
December 19, 2025
•[ data leak, third-party breach ]
Goldman Sachs notified clients that some client data may have been exposed following a cybersecurity incident at its external law firm, Fried Frank; Goldman stated its own systems were not compromised.
Truenorth Corporation
November 25, 2025
•[ ransomware, third-party breach, government ]
Puerto Rico officials reported a Thanksgiving-week cyberattack targeting IT contractor Truenorth Corporation that briefly disrupted systems used by three major agencies: the Department of Education, the Puerto Rico Health Insurance Administration (ASES), and the State Insurance Fund Corporation (CFSE). Reporting cited an independent cybersecurity source describing the incident as ransomware detected on Nov. 25, 2025, with rapid ripple effects into those agencies systems. Officials stated citizen data was not compromised, and other agencies under Truenorth contracts (including the State Elections Commission) were reported as not affected. The events primary confirmed impact was short-term operational disruption across multiple government agencies tied to the vendors environment.
ModMed (Modernizing Medicine)
October 24, 2025
•[ data leak, healthcare, third-party breach ]
Modernizing Medicine (ModMed) said it discovered unauthorized activity on July 29, 2025, and confirmed that attackers had accessed and exfiltrated data from servers hosting podiatry-client EHR information between July 910. Exposed fields include full names, addresses, DOB, SSNs, contact details, health insurance info, medical record and patient account numbers, dates of service, providers/practices, billing/diagnostic codes, prescription/medication data, and diagnosis/treatment information; providers were notified on September 19 and patients on October 17. Days later, a seller advertised a partial EHR database (1,0001,500 podiatry patient records) on a breach forum/Telegram, indicating financially motivated data trafficking, though ModMed has not confirmed a second intrusion. Overall impact: large-scale PHI exposure from vendor-hosted servers, with evidence of downstream data sale attempts.
Dodd Group
October 19, 2025
•[ data leak, third-party breach ]
Report claims Russian group accessed contractor and leaked MoD base documents
Windsor International Airport
October 14, 2025
•[ hacktivism, unauthorized access, third-party breach ]
Unauthorized pro-Palestinian messages played; one Delta flight delayed; third-party cloud PA cited
Renault UK
October 3, 2025
•[ data leak, third-party breach ]
Third-party service provider breach affecting Renault UK customer records; exposed contact and vehicle identifiers; Renault says own systems not compromised.
Discord
October 3, 2025
•[ data leak, third-party breach ]
Third-party customer support vendor was breached, exposing support tickets, personal data, limited billing details, and a small number of government-ID images; Discord core systems unaffected.
Vitas Hospice
September 21, 2025
•[ data leak, third-party breach, healthcare ]
Vitas Hospice Services (Vitas Healthcare) detected a cybersecurity intrusion on 10/24/2025. According to the organizations breach notice and subsequent reporting, the threat actor gained access to certain Vitas systems by using a compromised third-party vendor account. The unauthorized access persisted from approximately 09/21/2025 through 10/27/2025, and the attacker downloaded files containing personal information of current and former patients. Exposed data elements included identifiers (name, address, phone number, date of birth), government identifiers (drivers license number and Social Security number), and protected health information such as medical and insurance details, plus next-of-kin contact information. Government breach tracking and reporting indicated 319,177 individuals were affected. Vitas stated it took steps to secure systems, investigate, and notify impacted individuals, though the specific malware or group responsible was not publicly identified.
Personic Management Company LLC d/b/a Personic Health
August 29, 2025
•[ data leak, healthcare, third-party breach ]
Healthcare management firm Personic Management Company (Personic Health) reported that an unauthorized actor accessed a third-party software platform used to process patient information on August 29, 2025. The intrusion, discovered on September 1, enabled the attacker to obtain data containing patients names and associated protected health information from Personic-affiliated providers. After engaging external cybersecurity experts and notifying law enforcement, Personic filed breach notices with state regulators and began sending letters to impacted individuals, warning them about identity-theft risks and the potential misuse of their medical data.
Personic Management Company LLC
August 29, 2025
•[ data leak, unauthorized access, third-party breach ]
Personic reported unauthorized activity affecting a third-party software platform it used to process patient information. The company stated it became aware of the issue on September 1, 2025, and an investigation concluded an unauthorized actor accessed the platform on August 29, 2025 and obtained certain data. The public notice stated the impacted data may include names and protected health information. Personic reported filing a notice with the Maine Attorney Generals office and beginning notification of impacted individuals on November 18, 2025.
CoVantage Credit Union
August 14, 2025
•[ data leak, third-party breach ]
CoVantage reported a data breach originating at its third-party vendor, Marquis Software Solutions. CoVantage learned on 08/14/2025 that Marquis experienced a cybersecurity incident affecting its internal environment, and Marquis later determined that files containing CoVantage customer information had been accessed or acquired. CoVantage filed notice with the Maine Attorney General and began notifying affected individuals on 11/26/2025.
Industrial Credit Union of Whatcom County
August 14, 2025
•[ data leak, third-party breach ]
Industrial Credit Union of Whatcom County reported a data breach stemming from a security incident at a third-party communication delivery vendor that provides print and email services to financial institutions; the credit union stated its own systems were not breached. The potentially impacted data includes names, dates of birth, Social Security numbers, and financial/banking information. The credit union filed notice with the Washington State Attorney Generals office and began sending notification letters to impacted individuals on Nov. 26, 2025. Public reporting linked this incident to the Marquis Software Solutions vendor intrusion detected on Aug. 14, 2025.
With Intelligence Ltd. (via third-party PeopleCheck)
June 28, 2025
•[ data leak, third-party breach, compromised credentials ]
On June 28, 2025, threat actors using compromised login credentials accessed PeopleCheck systems, a third-party provider for With Intelligence Ltd., resulting in exposure of sensitive personal information of job candidates and employeesincluding SSNs and birth dates. No evidence of data encryption or disruption. With Intelligence notified the affected parties by July 11, 2025 and provided 24 months of credit monitoring.
Tiffany & Co.
May 26, 2025
•[ data leak, third-party breach ]
Selected Tiffany Korea customers notified of unauthorized access to a vendor system used for customer data; reporting to date only confirms impact on Korean/Chinese customers and does not indicate EU/US exposure or operational disruption.
Toppan Next Tech
April 7, 2025
•[ ransomware, data leak, third-party breach ]
A ransomware attack on DBS Bank's third-party printing vendor Toppan Next Tech in Singapore led to the potential exposure of around 8,200 DBS customer statements and related letters, mostly for DBS Vickers trading and Cashline loan accounts. The attacker compromised Toppan's systems, leaving encrypted statement files potentially accessible, but DBS' own banking infrastructure and customer funds remained unaffected. Exposed data in the printed correspondence includes customers' names, mailing addresses and details of equity holdings or loan accounts, while passwords, government ID numbers and balances were not part of the leak. Authorities and cybersecurity agencies are assisting the investigation as DBS halts work with the vendor and notifies affected customers.
Western Alliance Bank
March 18, 2025
•[ data leak, third-party breach ]
Western Alliance Bank notified 21,899 customers that their personal information was stolen after a breach of a third-party secure file transfer system. The breach occurred between October 12 and October 24, 2024, and exposed names, Social Security numbers, dates of birth, financial account numbers, drivers licence numbers, tax IDs and/or passport information. The company found no evidence of fraudulent use yet and is providing one year of complimentary credit monitoring to those impacted.
Chicago Public Schools
March 7, 2025
•[ data leak, third-party breach ]
Vendor Software Exploited Led To Exposure Of Chicago Public Schools Student Information.
Stubhub
March 6, 2025
•[ vulnerability exploitation, data leak, third-party breach ]
A cybercrime group exploited a URL redirection vulnerability in a third-party contractor system for StubHub to steal around 1,000 digital tickets for major events, including Taylor Swifts Eras Tour. The stolen tickets, valued at approximately $635,000, were resold online for profit. The scheme operated between June 2022 and July 2023 before being uncovered through a coordinated investigation by cybersecurity and law enforcement agencies. Two individuals, Tyrone Rose and Shamara P. Simmons, were arrested and charged with grand larceny, identity theft, and computer tampering in connection with the operation.
MainStreet Bank (via third-party vendor)
March 4, 2025
•[ data leak, third-party breach ]
MainStreet Bancshares (Nasdaq: MNSB & MNSBP), the financial holding company behind MainStreet Bank, has disclosed a data breach impacting some of its customers.
Intellihartx, LLC (vendor for Arkansas Heart Hospital LLC)
February 20, 2025
•[ data leak, third-party breach ]
Intellihartx, LLC, a healthcare revenue-cycle and patient engagement vendor for Arkansas Heart Hospital, reported that unauthorized actors accessed and exfiltrated files from its systems between January 22 and February 20 2025. The vendors Maine Attorney General notice states 1,674,294 individuals were affected across its clients. Exposed data included names, Social Security numbers, dates of birth, contact information, and medical and insurance details for patients linked to Arkansas Heart Hospital.
