Search Results for "third-party breach"

Village of Chase May 19, 2026 • [ Business Email Compromise (BEC), Fraud, Financial Loss ] A vendors email account was compromised, causing the Village of Chase to send a payment to fraudulent bank details, resulting in a loss of $44,536; most of the funds were recovered and the loss was covered by prioryear surplus.

Vimeo April 28, 2026 • [ extortion, data leak, third-party breach ] In April 2026, the ShinyHunters extortion group listed Vimeo on their extortion portal as part of their "pay or leak" campaign. They subsequently published hundreds of gigabytes of data, predominantly consisting of video titles, technical data and metadata. The data also included 119k unique email addresses, sometimes accompanied by names. Vimeo attributed the exposure to a breach of Anodot, a third-party analytics vendor, and advised the incident does not include "Vimeo video content, valid user login credentials, or payment card information".

Inditex (Zara owner) April 15, 2026 • [ unauthorized access, third-party breach, customer transaction information ] Inditex reported unauthorized access to third-party-hosted databases containing customer transaction information; the company said the affected databases did not contain addresses, passwords, or bank card details and that it applied security protocols and notified authorities.

Rockstar Games April 11, 2026 • [ data breach, third-party breach, SaaS breach ] ShinyHunters claimed it stole nearly 80 million business records from Rockstar Games through a third-party SaaS/Snowflake-related breach; Rockstar said only a limited amount of non-material company information was accessed and that there was no impact on operations or players.

Los Angeles City Attorney’s Office March 20, 2026 • [ data leak, unauthorized access, third-party breach ] World Leaks posted an archive of approximately 7.7 TB / 337,000 files after unauthorized access to a third-party discovery-transfer tool used by the Los Angeles City Attorneys Office; the data included LAPD civil litigation discovery files, personnel and disciplinary records, witness information, medical information, and investigative materials, while LAPD said its own systems were not breached.

Cuero Chamber of Commerce January 26, 2026 • [ malware, social engineering, ClickFix ] The Cuero Chamber of Commerce reported a malware/social engineering incident affecting its web properties after a customer noticed suspicious activity in an email sent January 26. The chamber said users registering for an event were shown a CAPTCHA prompt and then instructed to press Windows+R and paste/run contentbehavior consistent with ClickFix social engineering designed to trick victims into executing malicious commands on their own devices. The chamber stated that the Cuero Development Corporation website was the only confirmed security breach and that significant data loss occurred, and it believed the malware was introduced via a third-party platform (Shopify) used for event registration. The chamber said it could not determine how many people or organizations were affected and implemented additional safeguards.

French Office for Immigration and Integration (OFII) January 1, 2026 • [ data leak, hacking, third-party breach ] A hacker posted samples of foreigners personal data online on January 1, 2026, stating on a specialist forum that the information was obtained by hacking the French Office for Immigration and Integration (OFII) and that the motive was profit. Reporting described two posted samples: one with fewer than 1,000 foreign nationals and another involving 600 Israelis currently or previously residing in France, with fields such as names, date of entry, status/reasons for stay, email addresses, and phone numbers. OFII confirmed a data theft but said the intrusion was linked to a subcontractor/operator with access to OFII data rather than directly compromising OFIIs information system.

Goldman Sachs (via Fried Frank Harris Shriver & Jacobson LLP) December 19, 2025 • [ data leak, third-party breach ] Goldman Sachs notified clients that some client data may have been exposed following a cybersecurity incident at its external law firm, Fried Frank; Goldman stated its own systems were not compromised.

Truenorth Corporation November 25, 2025 • [ ransomware, third-party breach, government ] Puerto Rico officials reported a Thanksgiving-week cyberattack targeting IT contractor Truenorth Corporation that briefly disrupted systems used by three major agencies: the Department of Education, the Puerto Rico Health Insurance Administration (ASES), and the State Insurance Fund Corporation (CFSE). Reporting cited an independent cybersecurity source describing the incident as ransomware detected on Nov. 25, 2025, with rapid ripple effects into those agencies systems. Officials stated citizen data was not compromised, and other agencies under Truenorth contracts (including the State Elections Commission) were reported as not affected. The events primary confirmed impact was short-term operational disruption across multiple government agencies tied to the vendors environment.

NYC Health + Hospitals November 25, 2025 • [ third-party breach, healthcare data, biometric data ] Unauthorized actors accessed NYC Health + Hospitals systems through a third-party vendor between approximately November 25, 2025 and February 2026, exposing personal, medical, health insurance, biometric, and financial information of approximately 1.8 million individuals.

ModMed (Modernizing Medicine) October 24, 2025 • [ data leak, healthcare, third-party breach ] Modernizing Medicine (ModMed) said it discovered unauthorized activity on July 29, 2025, and confirmed that attackers had accessed and exfiltrated data from servers hosting podiatry-client EHR information between July 910. Exposed fields include full names, addresses, DOB, SSNs, contact details, health insurance info, medical record and patient account numbers, dates of service, providers/practices, billing/diagnostic codes, prescription/medication data, and diagnosis/treatment information; providers were notified on September 19 and patients on October 17. Days later, a seller advertised a partial EHR database (1,0001,500 podiatry patient records) on a breach forum/Telegram, indicating financially motivated data trafficking, though ModMed has not confirmed a second intrusion. Overall impact: large-scale PHI exposure from vendor-hosted servers, with evidence of downstream data sale attempts.

Dodd Group October 19, 2025 • [ data leak, third-party breach ] Report claims Russian group accessed contractor and leaked MoD base documents

Windsor International Airport October 14, 2025 • [ hacktivism, unauthorized access, third-party breach ] Unauthorized pro-Palestinian messages played; one Delta flight delayed; third-party cloud PA cited

Renault UK October 3, 2025 • [ data leak, third-party breach ] Third-party service provider breach affecting Renault UK customer records; exposed contact and vehicle identifiers; Renault says own systems not compromised.

Discord October 3, 2025 • [ data leak, third-party breach ] Third-party customer support vendor was breached, exposing support tickets, personal data, limited billing details, and a small number of government-ID images; Discord core systems unaffected.

Vitas Hospice September 21, 2025 • [ data leak, third-party breach, healthcare ] Vitas Hospice Services (Vitas Healthcare) detected a cybersecurity intrusion on 10/24/2025. According to the organizations breach notice and subsequent reporting, the threat actor gained access to certain Vitas systems by using a compromised third-party vendor account. The unauthorized access persisted from approximately 09/21/2025 through 10/27/2025, and the attacker downloaded files containing personal information of current and former patients. Exposed data elements included identifiers (name, address, phone number, date of birth), government identifiers (drivers license number and Social Security number), and protected health information such as medical and insurance details, plus next-of-kin contact information. Government breach tracking and reporting indicated 319,177 individuals were affected. Vitas stated it took steps to secure systems, investigate, and notify impacted individuals, though the specific malware or group responsible was not publicly identified.

DocketWise September 1, 2025 • [ unauthorized access, third-party breach, credential theft ] DocketWise discovered unauthorized access to a third-party partner repository used in a data migration pipeline; an unauthorized actor used valid credentials to clone repositories containing law-firm customer records and personal information of their clients.

Personic Management Company LLC August 29, 2025 • [ data leak, unauthorized access, third-party breach ] Personic reported unauthorized activity affecting a third-party software platform it used to process patient information. The company stated it became aware of the issue on September 1, 2025, and an investigation concluded an unauthorized actor accessed the platform on August 29, 2025 and obtained certain data. The public notice stated the impacted data may include names and protected health information. Personic reported filing a notice with the Maine Attorney Generals office and beginning notification of impacted individuals on November 18, 2025.

Personic Management Company LLC d/b/a Personic Health August 29, 2025 • [ data leak, healthcare, third-party breach ] Healthcare management firm Personic Management Company (Personic Health) reported that an unauthorized actor accessed a third-party software platform used to process patient information on August 29, 2025. The intrusion, discovered on September 1, enabled the attacker to obtain data containing patients names and associated protected health information from Personic-affiliated providers. After engaging external cybersecurity experts and notifying law enforcement, Personic filed breach notices with state regulators and began sending letters to impacted individuals, warning them about identity-theft risks and the potential misuse of their medical data.

CoVantage Credit Union August 14, 2025 • [ data leak, third-party breach ] CoVantage reported a data breach originating at its third-party vendor, Marquis Software Solutions. CoVantage learned on 08/14/2025 that Marquis experienced a cybersecurity incident affecting its internal environment, and Marquis later determined that files containing CoVantage customer information had been accessed or acquired. CoVantage filed notice with the Maine Attorney General and began notifying affected individuals on 11/26/2025.

Search Results (third-party breach)