Chicago Public Schools
March 7, 2025
•[ data leak, third-party breach ]
Vendor Software Exploited Led To Exposure Of Chicago Public Schools Student Information.
Stubhub
March 6, 2025
•[ vulnerability exploitation, data leak, third-party breach ]
A cybercrime group exploited a URL redirection vulnerability in a third-party contractor system for StubHub to steal around 1,000 digital tickets for major events, including Taylor Swifts Eras Tour. The stolen tickets, valued at approximately $635,000, were resold online for profit. The scheme operated between June 2022 and July 2023 before being uncovered through a coordinated investigation by cybersecurity and law enforcement agencies. Two individuals, Tyrone Rose and Shamara P. Simmons, were arrested and charged with grand larceny, identity theft, and computer tampering in connection with the operation.
MainStreet Bank (via third-party vendor)
March 4, 2025
•[ data leak, third-party breach ]
MainStreet Bancshares (Nasdaq: MNSB & MNSBP), the financial holding company behind MainStreet Bank, has disclosed a data breach impacting some of its customers.
Intellihartx, LLC (vendor for Arkansas Heart Hospital LLC)
February 20, 2025
•[ data leak, third-party breach ]
Intellihartx, LLC, a healthcare revenue-cycle and patient engagement vendor for Arkansas Heart Hospital, reported that unauthorized actors accessed and exfiltrated files from its systems between January 22 and February 20 2025. The vendors Maine Attorney General notice states 1,674,294 individuals were affected across its clients. Exposed data included names, Social Security numbers, dates of birth, contact information, and medical and insurance details for patients linked to Arkansas Heart Hospital.
American Israel Public Affairs Committee (AIPAC)
February 6, 2025
•[ data leak, third-party breach ]
AIPAC reported that a criminal cyberattack on a third party led to unauthorized access to files on its own information systems from October 2024 through February 2025 and a review later determined that personal identifiers for 810 individuals had been taken prompting notification letters and additional security controls
Grubhub
January 25, 2025
•[ data leak, third-party breach ]
Grubhub disclosed that a third-party vendor account was compromised, allowing limited access to contact and partial payment information for customers, drivers, and merchants. Full card, bank, and SSN data were not accessed. No attribution to a specific threat group. Incident contained.
Health Service Executive (HSE) – primary care services, Midlands (third-party processor)
January 2, 2025
•[ ransomware, data breach, third-party breach ]
DataBreaches summarized reporting that the Irish Health Service Executive confirmed a second ransomware attack occurred in February 2025, targeting a third-party processor and resulting in a data protection breach reported by HSE primary care services in the Midlands. The HSE stated there was no evidence that patients data was stolen in the incident, and the brief report did not describe prolonged operational disruption or specify what systems were encrypted. Based on the confirmation of a ransomware incident affecting a processor, this is coded as a disruptive event with limited publicly available detail on scope and duration.
Carruth Compliance Consulting
December 19, 2024
•[ data leak, third-party breach ]
Third-Party Retirement Plan Administrator Reported December Intrusion Exfiltrating School Employee Data.
Beacon Health Three Rivers
December 2, 2024
•[ unauthorized access, third-party breach ]
Vendor Cps Solutions reported unauthorized email access Dec 24; hospital notified patients.
Concord Orthopaedics
November 21, 2024
•[ data leak, third-party breach ]
Vendor breach exposed patient Pii/phi; notifications sent months after discovery.
Biomedical Caledonia Medical Laboratory
November 1, 2024
•[ data leak, hacked, third-party breach ]
In November 2024, unauthorized actors accessed Biomedical Caledonia Medical Laboratorys systems through an external vendor, prompting an investigation and cybersecurity upgrades. The lab confirmed the intrusion but did not disclose specific data types or quantities affected. No evidence of encryption or operational disruption has been reported.
Gold Coast Health Plan
October 21, 2024
•[ data leak, third-party breach, account takeover ]
Gold Coast Health Plan reported that a contracted vendor (Conduent Business Solutions) suffered a cyberattack involving compromise of a single employee email account, which allowed unauthorized access to certain files during a window from Oct. 21, 2024 to Jan. 13, 2025. The vendor discovered the incident on Jan. 13, 2025 and began an investigation with law enforcement notification. A later forensic review determined that information for 540 plan members could have been exposed, listing specific claim-related and membership data elements; the release stated that Social Security numbers and financial information were not accessed or disclosed.
Mutua Madrileña
September 27, 2024
•[ cyber attack, data leak, third-party breach ]
Mutua Madrilea suffers a cyber attack on its home customer base, through an external provider, which affects thousands of customers.
Phoenix Rehabilitation & Nursing Center
July 20, 2024
•[ data leak, third-party breach ]
Third-party vendor breach exposed PHI/PII for Phoenix Rehab; access confirmed July 20, 2024; notifications sent Jan 28, 2025.
Harbin Clinic
July 1, 2024
•[ data leak, third-party breach ]
Third-party breach at Nationwide Recovery Services (July 2024) led to theft of Harbin Clinic patient data; disclosures and notifications in May 2025.
Lee University
March 22, 2024
•[ data leak, third-party breach ]
University filed notices after third-party software exploit enabled data access.
