March saw 90 publicly disclosed ransomware attacks, marking the second month this year in which incidents exceeded 90. Organizations in the United States accounted for 60% of all reported attacks, with smaller nations such as Andorra and Panama also included among the 24 countries impacted.  Healthcare remained the most targeted sector with 18 attacks, followed by government and manufacturing with 14 and 12 incidents, respectively. In total, 30 ransomware groups were linked to publicly disclosed attacks, with Qilin leading activity with eight attacks.

Keep reading to find our who made ransomware headlines in March.

1. DragonForce ransomware group claimed responsibility for an attack on the Getulio Vargas Foundation (FGV), a leading educational institution in Brazil, involving unauthorized access and the exfiltration of approximately 1.52 TB of data, including sensitive information such as names, identification details, and banking data. FGV confirmed it experienced a security incident that temporarily disrupted some of its systems and acknowledged that data associated with the institution has appeared on the dark web.

2. A cyberattack disrupted the Denmark School District in Wisconsin, leaving it without internet access for five school days and forcing teachers and students to switch to paper-based workarounds. District officials did not disclose which systems were impacted or whether any data was compromised. The INC ransomware group claimed responsibility, stating it had stolen 707 GB of data and issuing a six-day deadline for negotiations.

3. Qilin claimed responsibility for a breach of LISI Group, listing the French industrial component supplier on its dark web leak site. The company, which supplies parts to Airbus and Boeing, confirmed it experienced a cyber incident but stated that its impact was limited in scope. Samples released by the attackers reportedly include screenshots of bank transfers, sales plans, business documents, bank account details, and other sensitive files.

4. Anubis ransomware group claimed responsibility for a cyberattack on AkzoNobel, a global paints and coatings manufacturer, involving a breach at one of its U.S. sites. The attackers reportedly exfiltrated around 170GB of data, including sensitive information such as employee details, passport scans, internal documents, and client agreements. AkzoNobel confirmed the incident, stating it was contained and limited in scope, while investigations and notifications to affected parties are ongoing.

5. Community Health Action of Staten Island has notified certain individuals of a cybersecurity incident that may have involved unauthorized access to, or theft of, sensitive data. The breach notice offered limited details, confirming only that information such as names, Social Security numbers, and other personal data may have been affected. The Genesis ransomware group claimed responsibility, stating it exfiltrated around 200,000 records, including sensitive personal and medical data. According to the group, this includes approximately 60,000 records from HIV-tested patient databases, along with HIPAA-protected information and employee data.

6. QualDerm Partners recently disclosed additional details surrounding a December 2025 cyberattack, confirming that more than 3.1 million individuals were affected. The breach involved unauthorized access to parts of its network and the exfiltration of highly sensitive data, including personal information, medical records, treatment details, and health insurance data. Notification efforts are now underway, with impacted individuals being informed of the potential exposure. No known ransomware group has claimed the attack.

7. West Virginia law firm Katz Kantor Stonestreet & Buckner (KKSB) disclosed a data breach involving potential exposure of sensitive personal information. According to a notice on its website, the firm detected suspicious activity on its network and initiated an investigation, which confirmed that data such as names, Social Security numbers, and driver’s license details had been accessed. The Kairos ransomware group claimed responsibility alleging it exfiltrated approximately 700 GB of data.

8. 12,655 individuals have been notified of a data breach stemming from an August 2025 incident involving the Children’s Council of San Francisco. The breach notice did not clarify whether any of the compromised data related to children. Two weeks after the attack, the SafePay cybercriminal group claimed responsibility via its leak site, demanding an undisclosed ransom within 24 hours in exchange for deleting the stolen data. It remains unclear whether the organization engaged with the attackers.

9. Nephrology Associates Medical Group has begun notifying patients of a cyberattack and data breach initially identified in May 2025. The organization detected suspicious activity on its network and took steps to secure its systems and limit further unauthorized access. An investigation later confirmed that a third party had accessed the network and exfiltrated files containing patient information, including names, medical and health data, as well as billing and payment details.

10. Valley Radiology Consultants Medical Group announced a security incident and data breach that was first identified in September 2025. Immediate action was taken to secure its network, and third-party cybersecurity experts were engaged to determine the nature and scope of the unauthorized activity. An investigation confirmed unauthorized access to its network and file containing patient information. 

11. LHT Holdings recently detected a cybersecurity incident involving unauthorized access to parts of its network, which led to the encryption of certain systems. The company quickly isolated affected systems, engaged external cybersecurity specialists, and notified the relevant authorities. Preliminary findings suggest the incident was contained, with no evidence that personal or confidential data was accessed. However, the INC ransomware group claimed responsibility, publishing a number of documents on its leak site to support its claims.

12. Dutch plastic recycler Cabka identified a cybersecurity incident impacting portions of its IT systems. Upon detection, the company isolated affected systems and engaged external cybersecurity experts to carry out a forensic investigation, which remains ongoing. Play ransomware group claimed responsibility for the attack, issuing a four-day deadline for negotiations.

13. ShinyHunters listed Woflow on its dark web blog, threatening to release stolen data on March 6 if its demands were not met. The group claimed to hold hundreds of millions of records containing personal information, transaction data, and other internal corporate materials, although no sample data was provided. Woflow has not publicly confirmed or responded to these claims.

14. The City of Seal Beach, California, reported detecting unusual activity within its network. Officials stated that the environment was secured upon discovery and an investigation was initiated, though no further details have been released due to the ongoing nature of the case. Qilin ransomware group claimed responsibility, posting screenshots of alleged stolen documents on its dark web leak site, but did not specify the volume or type of data involved.

15. Qilin claimed to have breached Tennessee Valley Electric Cooperative (TVEC), based in Savannah, Tennessee. However, the group’s dark web post did not include details about the alleged attack or any data obtained, and no supporting evidence was provided. TVEC has not yet publicly responded to these claims.

16. The Warren County Sheriff’s Office in Kentucky confirmed it has notified an undisclosed number of individuals following a data breach identified in December 2025. An investigation into suspicious network activity determined that cybercriminals had accessed and exfiltrated data, including names, Social Security numbers, driver’s license details, and health insurance ID numbers. RansomHouse claimed responsibility, alleging it stole 743 GB of data, including weapons license records and “videos and investigative materials purportedly showing abuse of authority by officers.”

17. Universal Mailing Services (UMS) was reportedly targeted in a cyberattack claimed by the Securotrop ransomware group. The attackers allege that approximately 490 GB of data was exfiltrated, including around 500,000 documents that were later published on their leak site. According to their claims, the stolen data contains sensitive information relating to both employees and clients.

18. Australian fashion brand Helen Kaminski was reportedly targeted in a ransomware attack claimed by the Play group. According to the group’s dark web listing, the attackers allege they exfiltrated sensitive corporate data, including client documents, payroll information, financial and tax records, and identification data. A three-day deadline for negotiations was issued, although no evidence was provided to support the claims.

19. Ericsson’s U.S. subsidiary reported that data belonging to more than 15,000 employees and customers was compromised following a breach at one of its service providers. According to the company, the provider responsible for storing personal data identified the incident in late April 2025, triggering an investigation into its scope and impact. The exposed information is understood to include personal data, financial details, and medical information.

20. A manufacturer of smart electric vehicle chargers, ELECQ has warned customers that their personal data may have been compromised in a ransomware attack that encrypted and exfiltrated information from its cloud systems. The company detected unusual activity on its AWS platform and determined that parts of its infrastructure had been targeted. ELECQ stated that no financial data was affected by the incident. No known ransomware group has claimed responsibility for this incident.

21. Ransomware group Genesis added the City of Hart in Michigan to its leak site, claiming to have stolen 300 GB of data. City officials stated that the city responded to an IT incident involving unauthorized access to a limited portion of its network. An investigation into the incident remains ongoing, limiting the information that can be publicly shared. Genesis gave the city less than six days to meet its undisclosed ransom demands before data was published. 

22. In Pennsylvania, the Community College of Beaver County was impacted by a ransomware attack that resulted in the encryption of all its data. The incident came to light when the IT department discovered the college had been completely locked out of its systems and received a ransom note from the attackers. The administration has since been working with its insurance provider to help identify the threat actors and explore options to restore access before considering any ransom payment.

23. Wagon Mound Public Schools took its internet and networked systems offline after the superintendent informed families that a virus had disrupted access across the network. The district notified its insurance provider and began recovery efforts to restore systems. In early March, the Interlock group listed the district as a victim, claiming to have exfiltrated 80 GB of data, including staff and student information. The district has not publicly addressed these claims.

24. The Independent Public Regional Hospital in western Poland was forced to revert to paper-based processes following a cyberattack that impacted its IT systems. Hospital officials confirmed the incident temporarily disrupted digital operations, although patient care was not affected. It remains unclear whether any data was exfiltrated, and no ransomware group has claimed responsibility for the attack.

25. Approximately 90,000 individuals were affected by a ransomware attack on the National Association on Drug Abuse Programs (NADAP), attributed to the Genesis group. The incident, which occurred in late January 2026, involved the compromise of protected health information and personally identifiable data relating to clients and associated individuals. Genesis later claimed responsibility in March, alleging it exfiltrated 2 TB of data, including medical records and HR files, and provided an extended justification for targeting the nonprofit organization.

26. Lehigh Carbon Community College was forced to close following disruption to its IT systems caused by a ransomware attack. The disruption impacted the school’s network and school operations. A forensic investigation into the incident remains ongoing. Medusa claimed responsibility for the attack, posting a $100,000 ransom demand in exchange for an undisclosed amount of exfiltrated data. 

27. SafePay listed NSW-based dental practice Smile Team Orthodontics on its dark web leak site in mid-March, publishing documents allegedly obtained during the breach. The exposed data includes staff directories and personal details such as addresses and emails, as well as medical certificates, training and certification records, and hundreds of DentiCare patient payment plans. Additional internal documents and some patient treatment histories were also disclosed. Smile Team confirmed it experienced a cyber incident that resulted in unauthorized access to parts of its IT systems.

28. A cyberattack targeted ASB Saarland, a German humanitarian and social services organization, after attackers gained access to one of its servers containing sensitive data. According to the organization, the compromised system held personal information relating to current and former employees, applicants, and clients, including employment records, contact details, and in some cases health-related information. The affected server was quickly isolated and forensic investigations were launched, with authorities notified. Operations such as emergency services and patient care continued without disruption. Qilin claimed responsibility for the attack, allegedly stealing 72 GB of data and adding proof of claims documentation to its dark web leak site. 

29. MetroWest Community Federal Credit Union, a U.S.-based financial institution, reported that a data breach identified in September 2025 exposed the personal and financial information of more than 20,000 customers. The organization detected unauthorized access to certain systems, which allowed attackers to obtain sensitive customer and banking data. Akira ransomware group claimed responsibility, alleging it exfiltrated 294 GB of corporate data, including employee personal, financial, and employment records, as well as client files and non-disclosure agreements.

30. LockBit claimed responsibility for a cyberattack targeting the Alcorn School District in Mississippi. In response to suspicious activity that disrupted its systems, the district shut down its network. The group has reportedly issued a two-week deadline for the district to pay an unspecified ransom. The extent and type of any data exfiltrated remain unknown at this time.

31. A database purportedly linked to SUCCESS Magazine, containing over 141,000 subscriber records, has appeared on a cybercrime forum. The exposed data is said to include detailed customer information tied to the publication’s subscription and retail systems. Sample records indicate data such as names, email addresses, phone numbers, and physical mailing addresses was compromised. The party responsible for the incident has not yet been confirmed.

32. England Hockey, the national governing body for field hockey in England, is investigating a suspected data breach after being listed as a victim on the AiLock ransomware group’s leak site. The group claims to have exfiltrated 129 GB of data and has threatened to release the files unless an undisclosed ransom is paid. While England Hockey has acknowledged the incident, it stated that no further details can be shared at this stage due to the ongoing investigation.

33. Handala has claimed responsibility for a cyberattack against New York-based payment device manufacturer Verifone. The group alleged that the breach caused significant disruption to payment systems and terminals, and that all associated transaction and financial data was exfiltrated. Verifone has denied these claims, stating it found no evidence of any such incident and that its services have remained fully operational for customers.

34. DragonForce has released a batch of stolen documents on the dark web, allegedly obtained during a ransomware attack on Australian poultry producer Hazeldenes. The group claims to have exfiltrated 78.78 GB of data from the company. Hazeldenes launched an investigation into the mid-February incident and has since confirmed that data was indeed exfiltrated. The company stated that the affected information appears to be largely limited to historical operational and corporate data.

35. Telus Digital, a Canadian business process outsourcing firm, has confirmed it experienced a security incident after the ShinyHunters group claimed to have stolen nearly 1 petabyte of data over several months. The group alleged that the compromised data includes extensive customer information tied to Telus’ BPO services, as well as call records from its telecommunications division, and has reportedly attempted to extort the company. However, Telus Digital stated it is not engaging with the threat actors. While acknowledging the incident, the company added that its operations have remained fully functional, with no evidence of any disruption to service connectivity.

36. Andorra’s Pyrénées Group has confirmed that a ransomware attack led to unauthorized access to certain internal records and customer data. The company stated that cybersecurity experts successfully contained the incident, identified its source, and restored full operations. The affected data includes names, email addresses, and, in some cases, payment information. The Akira ransomware group has claimed responsibility, alleging it exfiltrated 263 GB of data. Pyrénées Group also confirmed that it did not pay any ransom to the attackers.

37. A class action lawsuit has been filed against Nelson Worldwide following a ransomware attack that allegedly exposed employee information. The Chaos ransomware group claimed to have breached the company’s systems, exfiltrating 400 GB of data, including sensitive employee records. The group reportedly threatened to release the full dataset unless the company engaged in negotiations. Nelson Worldwide has not publicly responded to these claims.

38. Loblaw Companies Limited, Canada’s largest food and pharmacy retailer, has notified customers of a cyberattack that led to the compromise of certain data. After detecting suspicious activity within a limited, non-critical segment of its network, the company determined that an unauthorized third party had accessed some basic corporate information. The group responsible for the incident has not yet been identified.

39. INC ransomware group has reportedly breached systems belonging to Hawk Law Group. The group listed the firm on its leak site, publishing a selection of documents as proof of its claims. Reports indicate that the compromised data may include clients’ personal information, such as government-issued identification and case-related details. Hawk Law Group has not yet issued a public statement regarding the incident.

40. Tieu Dental Corporation in California has begun notifying patients of unauthorized access to its computer systems that occurred last summer. The intrusion was detected in late July 2025, and a subsequent forensic investigation confirmed that the compromised files contained patient information, including names, medical records, and health insurance details. The total number of individuals affected by the breach has not yet been determined.

41. JEAN Group reported a cyberattack on its information systems that caused temporary disruption. The company stated that its security team promptly implemented defensive and recovery measures, while external cybersecurity experts were brought in to support the response. Initial assessments indicate no material impact on operations or financial performance. The LockBit ransomware group has claimed responsibility, reportedly giving the manufacturing firm a two-week deadline to pay an undisclosed ransom.

42. A ransomware attack targeted the DeKalb County Sheriff’s Department in Tennessee, disrupting its email and inmate booking systems. The department’s main server was affected, though it remains unclear what other systems may have been impacted. A third-party firm has been engaged to assess the incident and support data recovery efforts as the investigation continues.

43. Hudson River Housing has disclosed a data breach that occurred in March 2025, resulting in the compromise of personal information. A recently concluded investigation found that certain files containing sensitive data were accessed and may have been exfiltrated by an unauthorized actor. The Rhysida ransomware group claimed responsibility soon after the incident, posting sample images on its leak site as proof. The group reportedly demanded a ransom of $744,000.

44. Meadowlark Hills, a non-profit retirement community in Kansas, has reported a breach affecting the protected health information of 14,442 individuals. The organization detected unauthorized access to its network in mid-July 2025, and a subsequent forensic investigation determined that files containing personal and health data were exfiltrated. The compromised information includes names, government-issued identification, financial account details, and medical records. Beast ransomware group claimed responsibility, alleging it exfiltrated 750 GB of data.

45. MedPeds Associates of Sarasota has notified 21,430 individuals of a data breach involving personal and protected health information. The organization detected unauthorized access to its systems in September 2025, during which ransomware was used to encrypt files. A subsequent review determined that the affected data included names, dates of birth, contact details, and medical records. Beast ransomware group claimed responsibility, alleging it exfiltrated 400 GB of data.

46. Medusa ransomware group claimed responsibility for a cyberattack on Passaic County, New Jersey. The group who reportedly demanded an $800,000 ransom with a 16-day deadline, published samples of allegedly stolen documents on its dark web leak site. Passaic County confirmed it experienced an attack affecting its IT systems and phone lines and has engaged federal and state authorities to assist with the investigation and containment efforts.

47. Health Dimensions Group reported a data breach impacting 450 individuals. The organization who became aware of the incident in October 2025, initiated its incident response procedures, and engaged cybersecurity specialists to conduct an investigation. The review determined that certain files were accessed and exfiltrated, containing information related to independent contractors. Worldleaks group has claimed responsibility and has published the stolen data.

48. Cedar Valley Services in Minnesota has confirmed that a data incident resulted in the exposure of individuals’ protected health information. Limited details about the incident have been made public. Qilin claimed responsibility in December 2025, listing the organization on its leak site and sharing screenshots of data allegedly obtained during the attack.

49. ShinyHunters cybercrime group claimed responsibility for a recent data extortion attack against Aura, a U.S.-based digital security firm, which the company confirmed resulted in the compromise of at least 900,000 records. The breach stemmed from a targeted voice phishing attack that enabled unauthorized access to an employee account for a short period, during which the threat actor exfiltrated a large dataset primarily consisting of names and email addresses.  ShinyHunters alleged it stole additional corporate data and attempted to extort Aura by threatening to publish the information after failed negotiations.  Aura stated that highly sensitive data such as Social Security numbers, passwords, and financial information were not compromised, and that its core systems remained secure despite the incident.

50. INC claimed responsibility for a cyberattack on Namibia Airports Company (NAC), alleging it exfiltrated nearly 500 GB of data. NAC confirmed that it detected a cybersecurity incident impacting certain IT systems, involving unauthorized access to network infrastructure and administrative accounts. The organization stated that there is currently no evidence of data exfiltration, although investigations remain ongoing to determine the full extent of the incident.

51. Foster City, California was forced to suspend all public services, except for emergency operations, following a ransomware attack. The city manager declared a state of emergency as a result of the disruption. Officials warned that public information may have been compromised and advised individuals who have interacted with the city to update their account passwords. The incident left city services offline for a week. No threat group has claimed responsibility for the attack at this time.

52. A dataset allegedly linked to Russell Cellular, a major U.S. wireless retailer, containing more than 6.3 million customer records, is being offered for sale online for $1,200. Advertised on a well-known hacker forum, the 61 GB dataset includes 209 database tables. The seller claims the data contains a broad range of sensitive customer and employee information. It is not yet clear whether the data originated from Russell Cellular’s internal systems or from a third-party service provider connected to its operations.

53. Navia Benefit Solutions has notified individuals impacted by a cyberattack that occurred in December 2025. The compromised data reportedly includes names, contact details, and Social Security numbers. According to the breach notice, approximately 2,697,540 individuals were affected, with the incident stemming from unauthorized access to Navia’s network over the course of a month. The party responsible for the attack has not yet been identified.

54. Worldleaks ransomware group has claimed responsibility for a cyberattack on Los Angeles Metro that led to system disruptions. According to local media, unauthorized activity was detected on Metro’s internal systems, prompting restricted access and impacting station arrival displays. Despite the disruption, rail and bus services continued to operate as normal, and no customer or employee data was reported to be affected. Worldleaks alleged it exfiltrated 159.9 GB of data, publishing three screenshots on its leak site as proof of claims.

55. Westport Fuel Systems reported detecting unauthorized access to portions of its network, which impacted certain internal IT business applications as well as some business and employee information. The company noted that its manufacturing systems were not affected. An investigation into the incident is ongoing. Embargo ransomware group claimed responsibility, alleging it exfiltrated 1.8 TB of data from the organization.

56. Handala group claimed responsibility for a cyberattack targeting Lockheed Martin, alleging it exfiltrated 375 TB of data from the aerospace and defense firm. The group asserts that the stolen information includes sensitive materials such as F-35 aircraft blueprints and other corporate data. It has also issued further demands exceeding $400 million in exchange for not selling the data to U.S. adversaries. A Lockheed Martin spokesperson acknowledged that the company is aware of the claims.

57. In the Philippines, a reported cybersecurity incident involving the Department of Public Works and Highways (DPWH) is under investigation following claims of data exfiltration posted on the dark web. Bashe (APT73) ransomware group listed the agency on its leak site, alleging it had stolen 50 GB of data, including internal documents, emails, financial records, and personal information. However, initial findings from the investigation indicate there is no evidence that any files were accessed or exfiltrated from DPWH’s internal systems.

58. Semiconductor testing firm Trio-Tech International identified a cyberattack in mid-March that resulted in the encryption of files across its network. In response, the company took affected systems offline and engaged cybersecurity specialists to manage the incident. The breach also led to the unauthorized exposure of certain company data. The Gunra ransomware group claimed responsibility, although it did not specify the volume of data allegedly exfiltrated.

59. The Lapsus$ group claimed responsibility for a significant data breach involving global biotechnology and pharmaceutical company AstraZeneca, alleging the theft of 3 GB of sensitive intellectual property. The stolen data reportedly includes application source code, private cryptographic keys, authentication tokens, Vault credentials, and Terraform configurations for AWS and Azure environments. The group shared previews of the data, including screenshots, on dark web forums and invited interested buyers to pay for access to the repositories. AstraZeneca has not commented on the claims.

60. DragonForce ransomware group has allegedly breached Conrad Capital’s servers, claiming to have stolen clients’ personal and financial information. The group states it exfiltrated 74.23 GB of data and issued a five-day deadline for the finance company to enter negotiations. Conrad Capital has not yet publicly responded to the claims made by DragonForce.

61. SATS AS, a training and fitness service provider, has identified unauthorized access to parts of its IT systems, resulting in a data breach. After detecting the incident, the company acted quickly to remove the intruders, contain the breach, and prevent further unauthorized access. External cybersecurity experts have been engaged to assess the full scope and impact. Preliminary findings suggest that the compromised data includes internal administrative documents, as well as personal information relating to a group of employees. The Gentlemen ransomware group has claimed responsibility for the attack.

62. Infinite Campus has notified customers of a data breach following an extortion attempt by the ShinyHunters group. According to notification letters, the incident stemmed from unauthorized access to an employee’s Salesforce account. The attackers reportedly set a March 25 deadline for the company to initiate negotiations to prevent the release of stolen data; however, Infinite Campus stated it will not engage with the threat actors. ShinyHunters claims the stolen data includes Salesforce records containing personally identifiable information and internal corporate data, though the company maintains that its investigation found no evidence that customer databases were accessed.

63. Duffy’s Sports Grill was impacted by a ransomware attack attributed to the Qilin group, which disrupted its internal systems and operations for at least a week. The incident affected both customers and staff, with several locations unable to process credit card payments, and the company’s MVP loyalty program also experiencing outages. The ransomware group did not specify how much data may have been accessed during the attack.

64. Mazda Motor Corporation recently disclosed that a December 2025 cyberattack led to the exposure of data belonging to employees and business partners. An internal investigation found that attackers exploited vulnerabilities in the company’s warehouse management system, resulting in unauthorized access to a portion of the data stored within it. A total of 692 records were accessed, none of which involved customer information. The compromised data includes names, email addresses, company names, user IDs, and business partner IDs. The Clop ransomware group claimed responsibility for the incident in November 2025. 

65. Kaplan, a Florida-based education services company, has disclosed that a cybersecurity incident late last year resulted in the exposure of sensitive personal information belonging to at least 230,000 individuals. Unauthorized actors accessed files containing names, Social Security numbers, and driver’s license numbers. No threat group has claimed responsibility for the incident.

66. NYC Health + Hospitals Corporation has disclosed that personally identifiable information and protected health information were exposed in a data security incident. Suspicious activity was detected within its network in early February, prompting an immediate response and the launch of an investigation. Findings revealed that an unauthorized third party had access to the network for nearly 11 weeks. To date no ransomware group has claimed responsibility. 

67.  ShinyHunters listed Ameriprise Financial as a victim, threatening to release allegedly stolen data if a ransom is not paid. The group also warned that the data leak would be accompanied by “several annoying (digital) problems.” It claims to possess Salesforce records containing personally identifiable information, along with more than 200 GB of compressed internal SharePoint data. Ameriprise Financial has not yet publicly responded to these allegations.

68. Aroostook Mental Health Center (AMHC), a major behavioral healthcare provider in Maine, was recently targeted in a ransomware attack attributed to Qilin. The incident caused network disruption that impacted some business operations and connectivity, prompting the organization to engage external cybersecurity specialists to investigate and respond. Qilin added AMHC to its dark web leak site and claimed to have obtained data, reportedly issuing threats to publish it if negotiations were not initiated. AMHC has stated it is not engaging with the threat actors, and while the investigation remains ongoing, the organization has not confirmed whether any sensitive data was accessed or exfiltrated.

69. A newly emerged ransomware group known as ALP-001 claimed responsibility for a cyberattack against Chinese surveillance technology giant Hikvision. The group listed the company on its dark web leak site, alleging it exfiltrated approximately 19.9 TB of data from internal systems.  The threat actors warned they would release the stolen data in stages if their demands were not met, though no specific ransom amount has been disclosed.  At this stage, the claims remain unverified, as sample data links provided by the attackers were reportedly non-functional, and Hikvision has not publicly commented on the incident.

70. Spain’s Port of Vigo was hit by a ransomware attack that disrupted key digital systems used for cargo management and logistics coordination. The incident led authorities to isolate affected servers and disconnect parts of the network, forcing port operations to rely on manual, paper-based processes while systems remained offline. Despite the disruption to digital services, physical operations such as ship movements and cargo handling continued. A ransom demand was reportedly issued, though no threat group has publicly claimed responsibility. Investigations are ongoing to determine the cause and full scope of the incident, with no confirmed timeline for full system restoration.

71. St Anne’s Catholic School in Southampton was recently forced to close after a ransomware attack disrupted its IT systems. Threat actors gained access to the school’s network, impacting access to systems and temporarily halting teaching and learning activities. The school’s IT team acted quickly to contain the incident and prevent further spread, while reporting the breach to authorities including the Information Commissioner’s Office, the National Cyber Security Centre, and the police. Details surrounding the method of intrusion and any potential data compromise remain limited, with investigations ongoing.

72. Viva Ticket, a global ticketing and event management platform used by major museums, theme parks, and live events, was recently impacted by a ransomware attack that disrupted services across its network. The incident affected an estimated 3,500 partner organizations worldwide, including high-profile venues, and led to outages in online booking and ticketing systems.  While investigations are ongoing, reports indicate that certain customer data, such as names, email addresses, and purchase details, may have been exposed. There is currently no evidence that payment or banking information was compromised.  The attack has been linked to a ransomware operation, with some sources attributing it to the RansomHouse group, although full details of the breach and its impact are still being assessed.

73. Goodwill Industries of North Central Pennsylvania was recently listed as a victim by the Interlock ransomware group, who claims to have exfiltrated approximately 80 GB of data from the nonprofit organization. The group alleges that the stolen data includes personal information and financial documents related to employees and partners and has published the organization on its dark web leak site as proof of the breach. Reports indicate that the incident may be linked to wider system disruptions affecting some Goodwill operations, though details remain limited. At this time, Goodwill has not publicly confirmed the full extent of the breach, and investigations are ongoing to determine the scope and impact of the incident.

74. ShinyHunters has claimed responsibility for an attack targeting ZenBusiness, a U.S.-based business services platform. The group alleges it exfiltrated “several terabytes” of data from the company, reportedly obtained through access to cloud-based platforms such as Salesforce, Snowflake, and Mixpanel.  ShinyHunters issued a deadline for the company to initiate negotiations, warning that failure to comply would result in the public release of the stolen data along with additional disruptive actions.  While the exact nature of the compromised information has not been confirmed, sources suggest it could include internal corporate data and potentially personally identifiable information related to customers and employees. ZenBusiness has not publicly commented on the claims at this time.

75. Private healthcare provider IntraCare in New Zealand was recently impacted by a cyber breach that forced the organization to take its IT systems offline and defer at least 28 patient procedures. The incident disrupted operations and limited the provider’s ability to access patient records and contact affected individuals. In response, IntraCare engaged external cybersecurity experts, notified authorities, and launched a forensic investigation to determine the scope and impact. The Gentlemen ransomware group claimed responsibility for the attack.

76. Vantage Plastic Surgery disclosed a security incident involving unauthorized access to the protected health information of approximately 4,600 current and former patients. An investigation confirmed that patient data was exposed, with a review revealing that the compromised information included names, addresses, phone numbers, dates of birth, and medical record details.

77. Multinational communications and digital marketing firm Hightower Holdings has disclosed a significant data breach affecting 131,483 individuals. The company reported that unauthorized access to its network occurred in early January, enabling threat actors to obtain customers’ personal information. The compromised data includes names and Social Security numbers. No known ransomware group has claimed responsibility for the incident.

78. The Jackson County Sheriff’s Office in Indiana was recently hit by a ransomware attack that severely disrupted its operations, rendering its entire computer network, including PCs, Wi-Fi, and reporting systems, unusable. The incident, believed to have originated from a malicious email, forced the department to shut down systems and begin rebuilding its IT infrastructure from scratch. Law enforcement operations were significantly impacted, with officers reverting to manual processes and dispatch services temporarily relocated to another police department. Officials confirmed that no ransom would be paid.

79. Stockton Cardiology Medical Group has begun notifying patients of a recent security incident in which files containing patient information were accessed. The compromised data includes names, contact details, and billing records that may contain limited medical information. The Genesis ransomware group claimed responsibility, alleging it exfiltrated and published the 645 GB of data stolen information in mid-February.

80. Monmouth University in New Jersey was recently targeted in a ransomware attack claimed by the PEAR ransomware group. The threat actor alleges it exfiltrated up to 16 TB of data from the university’s systems and has posted sample materials as proof on its leak site.  The university confirmed that the incident involved unauthorized access to certain information on its network and has engaged cybersecurity experts and notified law enforcement to investigate.  While PEAR has threatened to release the stolen data if demands are not met, the full scope of the breach and the nature of the compromised information remain under review, with no confirmed operational disruption reported.

81. Omax Autos Limited confirmed that it was targeted in a ransomware attack affecting its IT infrastructure. The company stated that while unauthorized activity was detected and the incident has been verified, its core systems and manufacturing operations have not been impacted. Omax Autos has launched an investigation to assess the extent of any potential damage or data exposure and is implementing remedial measures to strengthen its cybersecurity posture. The full scope and impact of the incident remain under review.

82. Panama’s Social Security Fund (CSS) activated a contingency plan following a suspected cyberattack that affected parts of its digital infrastructure. The organization reported disruptions to its web services and quickly implemented response measures to contain the incident and maintain operations. The Gentlemen ransomware group has claimed responsibility for the attack. While details remain limited, CSS stated it is continuing to assess the potential impact and restore full functionality, with investigations ongoing.

83. Statistics South Africa (Stats SA) has reportedly been targeted in a ransomware attack that may have exposed large volumes of sensitive data. The agency confirmed the incident, while threat actors identified as the XP95 ransomware group claimed to have exfiltrated over 450,000 files totalling approximately 154 GB, including data from internal systems such as HR records. The group allegedly demanded a ransom of around $100,000 in exchange for not releasing the data. Sample files were posted on its leak site as proof of its claims.

84. Bangladesh’s largest supermarket chain, Shwapno, was listed on LockBit’s leak site in mid-March, with the group releasing more than 410 GB of data on the dark web. The exposed files reportedly include customer names, phone numbers, purchase histories, supplier information, contracts, bank deposit records, HR documents, and internal policies. The incident follows a separate ransomware claim made by the Qilin group approximately seven months earlier.

85. Woodfords Family Services has notified authorities of a ransomware attack in 2024 that resulted in the breach of personal and protected health information of 8,073 individuals. Suspicious activity was first identified in April 2024, with a comprehensive internal review only concluding in late January 2026. Medusa ransomware group claimed responsibility for the attack shortly after it occurred.

86. U.S.-based healthcare technology provider CareCloud, disclosed a cybersecurity incident involving unauthorized access to one of its electronic health record (EHR) environments. The attack caused a temporary network disruption lasting approximately eight hours, affecting the functionality and data access of part of its CareCloud Health platform. The company confirmed that an unauthorized third party gained access to systems containing patient information, though it is still assessing whether any data was accessed or exfiltrated. CareCloud engaged external cybersecurity experts, notified authorities, and has since restored all affected systems. At this time, no ransomware group has claimed responsibility, and the full scope and impact of the incident remain under investigation.

87. XP95 ransomware group has claimed responsibility for a cyberattack on the Gauteng City Region Academy, alleging it accessed and exfiltrated approximately 147 GB of private and personal data. The group is reportedly demanding a ransom of $100,000 in exchange for not releasing the information. The academy, a Gauteng provincial government entity focused on providing bursaries, internships, and training opportunities for young people, has not publicly responded to the claims.

88. XP95 ransomware group has claimed responsibility for a cyberattack on Eholo Health, a Spanish provider of clinical management software for psychologists. The group alleges it exfiltrated approximately 165 GB of data, including over 1.1 million medical notes and personal information relating to more than 600,000 users. According to XP95, the data was initially intended for sale after the company allegedly refused to pay a $300,000 ransom following several weeks of negotiations but was later released publicly. The exposed data reportedly includes sensitive clinical notes and patient details. Eholo Health has not publicly acknowledged the incident or confirmed whether affected individuals or regulators have been notified.

89. INC ransomware group claimed responsibility for a cyberattack on the City of Meriden, Connecticut, alleging it stole data from municipal systems. The city first reported an “attempted interruption” to its network in February, which caused weeks of service disruptions, including delays to water billing and ongoing issues at city clerk and tax offices. The group later listed Meriden on its leak site and shared sample documents as proof of its claims, though officials have not confirmed the breach or the extent of any data compromise. Investigations remain ongoing, and it is unclear what data, if any, was accessed or exfiltrated.

90. Qilin ransomware group claimed responsibility for a cyberattack targeting U.S.-based chemical manufacturing giant Dow Inc., alleging that it gained access to corporate systems and exfiltrated internal data. The claims have not been independently verified, and details regarding the type or volume of data allegedly compromised have not been disclosed. Dow has not publicly commented on the incident, and the full scope and impact remain unclear.

February recorded 82 publicly disclosed ransomware incidents, with healthcare emerging as the most targeted sector, accounting for 31% of reported attacks. Organizations across 20 countries disclosed incidents during the month, with the United States the most affected with 51 incidents. A total of 24 ransomware groups were linked to publicly claimed attacks, led by Shiny Hunters with eight incidents, followed by Qilin with six. Notably, 41% of attacks were not yet attributed to any known ransomware group.

Find out who made ransomware headlines in February.

1. Nova Biomedical recently eported a data security incident it experienced last year compromised the sensitive personal information of 10,764 individuals. Unauthorized access to internal networks was discovered on December 18, 2025, prompting an investigation to be immediately launched to determine the nature and scope of the incident. The compromised data included names and other personal identifiers including SSNs.

2. According to a notice on its company website, Hosokawa Micron Corporation suffered from a cyber incident in early February. The incident did not impact business operations, but the organization did confirm that electronic files were accessed by threat actors. Everest claimed responsibility for the attack, allegedly stealing 30GB of data. The group’s dark web post also included a number of screenshots of stolen documents, posted as proof of claims.

3. Everest ransomware group claimed to have breached Iron Mountain, a major global data management and storage firm, alleging the theft of around 1.4 TB of internal and client-related information and threatening to publish it if their demands weren’t met. While screenshots of allegedly compromised directories were posted on the group’s dark web leak site, Iron Mountain has stated that the incident was limited to a single folder of marketing materials accessed via a compromised credential and that no ransomware was deployed on its core systems.

4. It was announced that Onze-Lieve-Vrouw Instituut (OLV) Pulhof, a secondary school in Berchem, Belgium, suffered a ransomware attack shortly after the Christmas break. The attack disrupted its internal systems and prompted threats to leak or sell sensitive data relating to students and staff unless a ransom was paid. BitLock, who were reported to be responsible for the incident, initially demanded around €100,000, later lowering it to about €15,000, but the school declined to engage or pay, following guidance from authorities. In a troubling escalation, the threat actors then contacted parents directly, demanding €50 per child and threatening to expose personal information if payments were not made. Belgian prosecutors confirmed an ongoing investigation, and the school has advised parents not to comply with payment requests as it works to secure its systems and assess the impact.

5. INC ransomware group has claimed responsibility for a cyberattack on UK-based management software provider Distinctive Systems. The group added the company to its data leak site, publishing what it says are internal documents and contracts as evidence of the breach. Distinctive Systems confirmed it is investigating a cybersecurity incident that occurred in January and stated that all appropriate notifications have been made at this stage of the investigation.

6. Neurological Associates of Washington confirmed it notified 13,500 state residents of a December 2025 cyberattack which led to a data breach. Data compromised includes names, SSNs, diagnoses, medical information, and other types of personal information. The clinic confirmed that its facilities server that stored medical records was attacked and encrypted. DragonForce took credit for the attack, claiming to have stolen 1.4 TB of data from the clinic. Sample images of allegedly stolen documents were added to DragonForce’s dark web post.

7. Everest ransomware group claimed it had breached internal systems associated with Poly, the enterprise communications business now part of HP Inc., alleging the theft of around 90 GB of internal data and posting screenshots on its leak site as supposed proof. The materials shared appear to show engineering files, code listings and documentation tied to legacy Polycom systems, the brand HP acquired in 2022, rather than current production environments, and there is no independent confirmation that HP’s current networks or customer data were compromised. HP has acknowledged the allegations and said it is investigating, but so far has found no evidence of an active breach or impact to its customer systems.

8. Match Group, the operator of popular dating services including Match.com, Hinge, OkCupid, and Tinder, confirmed it experienced a cybersecurity incident after the threat actor group ShinyHunters claimed to have obtained and posted millions of records and internal files linked to its platforms. Match Group said the unauthorized access was quickly terminated and that it is investigating the matter with external experts, stressing that there is no evidence attackers accessed user login credentials, financial data, or private messages, though a limited amount of user-related information and internal documents were exposed and affected individuals are being notified as appropriate.

9. ShinyHunters claimed it had breached Bumble Inc., alleging the theft of roughly 30 GB of internal data from cloud services such as Google Drive and Slack and posting it on its leak site. Bumble confirmed that a contractor’s account was compromised in a phishing attack, which allowed brief unauthorized access to a limited portion of its systems, but said the incident was quickly contained. The company emphasized that no member database, user accounts, private messages or dating profiles were accessed, and it has engaged external cybersecurity experts and law enforcement to investigate the situation.

10. German insurer HanseMerkur, headquartered in Hamburg, has been listed on DragonForce’s dark web leak site following claims of a ransomware attack in early 2026, with threat actors alleging they exfiltrated nearly 97GB of internal data, including financial documents such as invoices, tax records, and vouchers, as well as possible files linked to partner Emirates Insurance. HanseMerkur has not publicly confirmed the incident or disclosed any operational impact.

11. Maryland-based Lakeside Title Co. is the target of a proposed class action lawsuit following an alleged ransomware attack. The suit claims inadequate data security exposed personally identifiable information of thousands of customers and employees. Play ransomware group claimed responsibility for the attack but did not provide detailed information relating to type of amount of data stolen during the incident.

12. Central Ozarks Medical Center notified 11,818 individuals that some of their personal and protected health information was compromised during a November 2025 cyberattack. The types of information compromised includes names, SSNS, financial account information, medical treatment information, and health insurance information. No further information relating to this attack has been made public.

13. Philippine tech firm Lenotech Corporation was allegedly targeted in a ransomware attack when the Tengu ransomware group listed the company on a dark web leak site, claiming to have exfiltrated around 136 GB of internal data and threatening to publish it if negotiations did not begin. The samples posted reportedly include internal directories and service-related files, but Lenotech has not publicly confirmed the incident.

14. In Denver, Clinic Service Corporation confirmed that it had experienced a hacking incident which led to the exposure of sensitive information. A forensic investigation confirmed that its network had been accessed for a seven-day period in August 2025. Both PII and PHI was compromised during the incident. 82,331 individuals were impacted.

15. Insightin Health announced that it experienced a cyberattack in September 2025 that led to the unauthorized access of patient data. A data review revealed that exposed files included protected health information associated with its clients. Medusa claimed responsibility for the attack and threatened to publish the stolen data. The group claims to have exfiltrated 378 GB of data from the organization.

16. Shiny Hunters claimed responsibility for a November cyberattack on the University of Pennsylvania in Philadelphia. The ransomware group published datasets that it claims contain more than one million records belonging to the university. The university did not specify the exact categories of data involved, stating only that systems related to alumni relations and fundraising had been accessed. During the incident, attackers sent emails to alumni from official university email accounts announcing the intrusion.

17. Shiny Hunters also published datasets of more than one million files allegedly belonging to Harvard University. The university confirmed that it had suffered a cyberattack in November which compromised its alumni systems. Attackers used phone calls to trick individuals into clicking malicious links or opening harmful attachments. Harvard confirmed that exposed information included contact information, donation details and other biographical data connected to alumni engagement and fundraising activities.

18. Customers of newsletter platform Substack were warned that email addresses, phone numbers and other metadata were leaked in a recently discovered data breach. The platform stated that it discovered a problem within its systems in early February that allowed an unauthorized third-party to access limited user data. Credit card numbers, passwords and other financial data were not leaked. The statement made by the company followed an unknown hacker claiming to have stolen personal information of about 700,000 users.

19. Beacon Mutual Insurance Company confirmed it was the victim of a cyberattack in January. A notice was posted on the organization’s website following requests for comments prompted by Beacon’s appearance on ransomware tracking websites. It was confirmed that the company’s production environment was not involved in the incident, but that the company’s network was disconnected as a preventative measure. INC took responsibility for the attack, claiming to have pilfered 275 GB of highly sensitive internal data from Beacon, adding screenshots to its leak site as proof of claims.

20. Romania’s national oil pipeline operator Conpet confirmed it was hit by a cyberattack that disrupted its corporate IT systems and took its public website offline while its core pipeline operations continued unaffected. The company said it is investigating the incident with national cybersecurity authorities and has filed a criminal complaint with the Directorate for Investigating Organized Crime and Terrorism (DIICOT). Although Conpet has not disclosed technical details of the breach, the Qilin ransomware group has claimed responsibility, listing the operator on its dark web leak site and alleging the theft of nearly 1 TB of internal documents, including financial records and passport scans.

21. Lynx took credit for a cyberattack on Lakelands Public Health in Ontario, Canada. The incident caused some programs and services to experience temporary outages. LPH was unable to give details about the attack due to the ongoing nature of the investigation. Lynx claims to have stolen confidential information, posting sample images of alleged stolen documents on its leak site.

22. Sapienza University of Rome, one of Europe’s largest universities with around 120,000 students, suffered a major cyberattack that forced its IT infrastructure offline for several days, disrupting access to key services such as exam booking, email and administrative systems. University officials shut down network systems as a precaution while a technical task force, supported by Italy’s National Cybersecurity Agency and law enforcement, worked to restore services from unaffected backups. It is not clear who is responsible for this attack, but reports stated that a link was sent to the university demanding a ransom and giving a 72-hour deadline to pay.

23. In Australia, Epworth HealthCare was allegedly breached by 0APT ransomware group, who is claiming to have stolen 920 GB of data from the healthcare providers. The hackers leak post states that the stolen data includes surgical records, patient names, and billing details. The ransomware group stated that it was actively negotiating with Epworth but that the involvement of any external parties would result in an immediate sample leak to local media. However, Epworth has said that it has found no evidence of a breach.

24. The Jefferson Blout St. Claire Mental Health Authority in Alabama notified 30,434 people of a November 2025 data breach. It is believed that the stolen data, which includes both PII and PHI, was collected by JBS Mental Health between 2011 and 2025. Medusa took credit for the breach and demanded a $200,000 ransom to destroy 168.6 GB of stolen data. To prove its claim, Medusa posted sample images of what it says are documents from JBS’s servers.

25. DOCS Dermatology Group disclosed a security incident that was identified in late-November 2025. An investigation determined that an unauthorized third-party had access to its networks over a seven-day period, during which data was compromised. Although the data review remains ongoing, DOCS has determined that compromised data includes PII, PHI and billing information. It is not known who is responsible for this attack or how many people have been impacted.

26. A total of 3,722 clients of the Center of Neuropsychology and Learning in Michigan were affected by a data breach following unauthorized access to one of the organization’s servers. The intrusion was discovered in November 2025, and a subsequent forensic investigation found that the server had been accessed in late October. The compromised system stored protected health information, though it did not contain highly sensitive data.

27. BridgePay Network Solutions, a major U.S. payment gateway provider, confirmed it was hit by a ransomware attack that knocked its systems offline and triggered a widespread outage affecting merchants, municipalities and other organizations that rely on its infrastructure for processing card payments. The incident, first detected on February 6, disrupted core services including APIs, virtual terminals and hosted payment pages, forcing some businesses to resort to cash-only transactions while services were unavailable. BridgePay engaged federal authorities along with external forensic and recovery teams, and said initial investigations show no payment card data was compromised despite files being encrypted. Restoration efforts are ongoing with no clear timeline for full recovery as the company works to securely bring systems back online.

28. CoinbaseCartel added Dolby Laboratories, a major US tech corporation, to its dark web blog. The ransomware group did not provide any data samples or information relating to the breach. Dolby has not commented on the alleged breach.

29. WindRose Health Network informed certain patients of a security incident discovered in August 2025 involving unauthorized access to parts of its network. The affected systems contained both personal information and protected health information. While the specific data involved differs by individual, the organization believes that approximately 691 individuals were impacted by the breach.

30. In New Hampshire, Cottage Hospital detected unauthorized access to its computer network. A forensic investigation determined that hackers had access to a single file server in October 2025. The hospital confirmed that files had been exfiltrated in the incident. The impacted server contained current and former employees’ names, SSNs, driver’s license numbers, and potentially bank account information. 2,156 individuals were affected by the incident.

31. IT management software company SmarterTools fell victim to a ransomware attack through an unpatched instance of its SmarterMail email server. The attack impacted the company’s office network and data center hosting quality control testing systems, SmarterTool’s portal, and its Hosted SmarterTrack network. Hackers compromised the mail server and moved laterally to the Windows servers on the data center, compromising 12 of them. Reports suggest that Warlock ransomware group was responsible for the attack.

32. 1,800 individuals were affected by a data breach at Pit River Health Service in California. An unauthorized third-party hacked its systems and copied data. The healthcare provider confirmed that no data was altered or deleted in the attack. As a result of the incident, some patient services were delayed. It is not known who is responsible for the attack.

33. Brush manufacturer Trisa was targeted by Lynx ransomware group, who claimed to have exfiltrated over 1 TB of information. Trisa confirmed the incident, stating that the attacker had managed to infiltrate “clearly defined and strictly limited” areas of its IT systems for a short time. According to the company, less than one percent of the company’s data was copied. The company filed a criminal complaint following the incident.

34. Following a ransomware attack on Senegal’s Directorate of File Automation, the government department suspended operations and shut down services tied to national ID cards, immigration, and other biometric data. A senior police official stated that authorities were working to restore affected systems and that the integrity of citizen’s personal information remains intact. Green Blood Group claimed to have breach the agency and exfiltrated 139 GB of data. The group claims that stolen materials include database records, biometric information, and immigration documents. Sample files were released to support the claim.

35. Pecan Tree Dental confirmed that it experienced a cybersecurity incident involving unauthorized access to its computer systems. A notice on the dental clinic’s website was light on detail but stated that steps were being taken to secure its systems and an investigation into the incident had been launched. Official notifications indicate that up to 13,300 individuals had their protected health information exposed in the incident. Sinobi took credit for the attack, claiming to have exfiltrated 250 GB of data. The group has since leaked the stolen information on the dark web.

36. 83,354 individuals were affected by a data security incident involving the Counseling Center of Wayne and Holmes Counties. The incident caused widespread disruption to its IT systems. An investigation was launched, all impacted systems and accounts were removed, and credentials were reset. The forensic investigation determined that an unauthorized party had exfiltrated files including both PII and PHI.

37. Japan Airlines announced that unauthorized access to the reservation system on its Same-Day Luggage Delivery Service may have exposed the personal information of up to 28,000 customers. A third-party accessed the system, causing the services to be rendered temporarily unavailable. The potentially compromised data involved includes personal information, and other travel related details.

38. The Augusta Housing Authority, one of Georgia’s largest public housing agencies, was reportedly targeted in a ransomware attack linked to the Qilin group, who posted the agency on its dark web leak site alongside several other victims. Sample documents posted by the group included personal data from low-income housing applicants and city employees. The incident affected some internal systems and potentially exposed sensitive applicant and employee data, including correspondence documents, utility reimbursement reports and payroll-related files that were shared as proof of access. Local officials took affected systems offline to contain the breach, engaged cybersecurity responders, and worked to restore services, though it remains unclear whether personal information was publicly disclosed or if a ransom demand was made.

39. EyeCare Partners announced an email security incident that was identified in January 2025. An investigation into the incident confirmed that an unauthorized third-party had accessed multiple managed email accounts in late 2024 / early 2025. Data compromised in the incident includes names, contact information, health plan information, and limited clinical information. It has been reported that 17,110 individuals were affected.

40. California-based MedRevenu Inland Physicians Hospitalist Services notified relevant authorities of a cybersecurity incident that took place in 2024. The incident caused network disruption and resulted in the exposure of personal, financial and health information. BianLian claimed responsibility for the attack shortly after it happened and later leaked the stolen information.

41. Dutch telecommunications provider Odido suffered a significant cyberattack that exposed sensitive personal data from its customer contact system, affecting an estimated 6.2 million accounts. Hackers gained unauthorized access over the weekend of February 7–8 and downloaded names, addresses, mobile numbers, email addresses, bank account numbers, dates of birth and government ID details, though passwords, call records and billing information were not compromised. Odido promptly blocked the intrusion, engaged external cybersecurity experts and reported the incident to the Dutch Data Protection Authority while assuring that its core services remained unaffected. Following a ransom demand from the threat actors, parts of the stolen data were later published on the dark web after Odido reportedly refused to pay.

42. Atlas Air, a major U.S. cargo airline, denied that its systems were compromised after Everest ransomware group added the organization to its leak site. Everest claimed to have pilfered 1.2 TB of sensitive technical information, including Boeing aircraft data. Screenshots, that were provided as proof of claims, included aircraft maintenance and repair reports, repair and logistics documentation, and internal operational corporate files.

43. Akira ransomware group added Canadian retailer Ardene to its leak site and alleges to have stolen 58 GB of data. Ardene notified customers of a cyber incident that impacted its internal systems in January, causing shipping delays. Ardene stated that it was not aware that any customer data had been compromised. Akira claims to have stolen financial data, customer and employee information, and other confidential information.

44. Sakata Seed Corporation reported a cyber incident affecting servers at its US consolidated subsidiary, Sakata America Holdings Corporation Inc. The seed producer is working with U.S. law enforcement and an external cybersecurity firm to investigate the point of infiltration and potential data access. There was no significant disruption to normal business operations. Qilin has claimed responsibility for this attack.

45. A cyberattack on Grund Nursing Home System in Iceland led to the exposure of sensitive information relating to tens of thousands of individuals. The attack caused significant disruption, affecting the operations of the entire organization. It was confirmed that stolen information spans over many years.

46. Livingston HealthCare in Montana stated that its phone systems had been restored following a cyberattack. The attack disrupted communications and led the hospital to take some systems offline. An update in mid-February said that some network services remained limited, but that patient care continues. No ransomware group has stepped forward to take credit for this incident.

47. Washington Hotel, a major hospitality brand in Japan, confirmed that it was the victim of a ransomware attack after unauthorized access to several of its internal servers was detected on February 13, 2026. The breach exposed various business data on the compromised systems, prompting IT teams to immediately disconnect the affected servers from the internet and activate an incident response plan involving police and external cybersecurity experts to assess the impact and contain the threat. While customer information, such as loyalty program data stored on separate third-party systems, is currently believed to be unaffected, some hotel locations experienced temporary issues with credit card terminals and ongoing investigations are underway to determine the full scope and any potential data exposure. No ransomware group has publicly claimed responsibility for the attack.

48. The Cheyenne and Arapaho Tribes of Oklahoma stated that a ransomware attack forced them to shut down tribal computer networks. Email and phone services were disrupted and some operations were temporarily suspended as systems were restored. Rhysida took credit for the attack, demanding a $680,000 ransom in exchange for the stolen data. Tribal leaders stated they would not negotiate or pay and have not confirmed whether data was actually stolen.

49. Seagrass Boutique Hospitality Group confirmed that it fell victim to a cyberattack orchestrated by Kairos ransomware. The cybersecurity incident involved unauthorized access to part of the company’s IT network, prompting the isolated of the affected system. An investigation into the incident remains ongoing. Kairos claimed to have exfiltrated 50 GB of data from the organization, giving a seven-day deadline to meet undisclosed demands.

50. Qilin added Mount Barker Co-operative, a West Australian food co-operative, to its leak site, alongside claims that 40 GB of internal data had been exfiltrated. The stolen data allegedly contains 55,361 files, but sample documents or additional information was available on the dark web listing. The Mount Baker Co-operative has not yet publicly addressed Qilin’s claims.

51. The ransomware group BravoX has claimed responsibility for breaching the systems of the Order of Chartered Accountants of Brittany. The group alleges it exfiltrated thousands of files totaling approximately 859GB of data. Describing the information as highly sensitive, BravoX has issued a 12-day deadline before it plans to publish the stolen data.

52. The Aeromedical Society of Australasia (ASA) was allegedly hacked by LockBit. The not-for-profit was added to the group’s leak site, and while no evidence of the hack was shared, LockBit said it would publish the stolen data on February 26. ASA are aware of the claims made by the notorious ransomware group and has made contact with relevant authorities. The organization did state that it does not hold personal information on its platforms.

53. Major French multinational aerospace, defense, and security corporation Safran Group has denied being impacted by a cyberattack. Allegedly stolen information from its systems had inadvertently exposed by a third-party provider. Safran Group had a data set with over a million lines of data stolen and leaked by a threat actor. Stolen data included names, emails, ERP references, and other order details. The firm did not experience operation disruption or adverse security impact from the incident.

54. OpenLoop Health is facing a potential class action over an alleged cyberattack that may have exposed the health data of 1.6 million people. Threat actors claim to have hacked OpenLoop’s computer system and to have accessed a cache of highly sensitive and private information. The lawsuit alleges OpenLoop failed to notify patients of the data breach.

55. Issaqueena Pediatric Dentistry recently reported a hacking incident that involved unauthorized access to PII and PHI. The incident is still being investigated, so the number of affected individuals has yet to be confirmed. The healthcare provider discovered the intrusion in mid-November when ransomware was used to encrypt files. Interlock claimed responsibility for the attack.

56. AltaMed Health Services Corporation recently alerted patients about a cybersecurity incident that took place in mid-December 2025. The incident limited access to some of its computer systems. Third-party cybersecurity experts were engaged to assist with the investigation, which remains ongoing. It has been determined that the compromised systems contained some patient information.

57. German-based athletic apparel and footwear manufacturer Adidas started an investigation into a potential data breach of one of its independent licensing partners following claims made by a cybercriminal group. An individual claiming affiliation with the Lapsus$ Group posted on BreachForums, asserting that the group had compromised Adidas’ extranet. The post claimed that 815,000 rows of data, including personal information and technical data, had been stolen. Company representatives stated that there is no indication that internal IT systems, e-commerce platforms, or consumer data have been affected by the incident.

58. The Shiny Hunters ransomware group has been associated with a breach involving Figure Technology Solutions, claiming that personal and contact information linked to 967,200 accounts was stolen. The intrusion reportedly involved a limited number of files taken from the company’s internal network. The exposed data is said to include more than 900,000 unique email addresses along with additional personal details. After alleging that Figure declined to pay an undisclosed ransom, the group published 2.5TB of data purportedly taken from thousands of loan applicants.

59. Advantest Corporation, a major Japanese semiconductor test equipment manufacturer, disclosed it is responding to a ransomware incident that was detected on February 15, 2026, after unusual activity was identified within its IT environment. The company immediately activated its incident response plan, isolated affected systems and brought in third-party cybersecurity experts to investigate and contain the breach. Preliminary findings suggest an unauthorized third-party may have gained access to parts of Advantest’s network and deployed ransomware, though no specific ransomware group has taken credit and there is no confirmed evidence of data theft at this stage. Advantest has stated that if customer or employee data is found to have been compromised, affected individuals will be notified directly, and it continues to investigate the full scope of the incident while reinforcing security measures.

60. North East Medical Services (NEMS) notified 91,513 patients of an October 2025 data breach following a cyberattack on its third-party software provider, UnitedLayer. The impacted data includes Social Security numbers and medical information. RansomHouse claimed responsibility for the attack, claiming to have encrypted UnitedLayer’s data and providing evidence packs to prove its claims. UnitedLayer has not confirmed the ransomware group’s claim.

61. Finance platform youX confirmed its systems were accessed by an unauthorized third-party during a cybersecurity incident. A hacker has claimed to have stolen information from 444,528 Australian borrowers including addresses, emails, phone numbers, government IDs and credit information. Another 629,597 loan applications, 229,226 driver’s licence numbers and 607,522 residential addresses were allegedly stolen, along with banking records, customer and staff details from 797 broker organizations.

62. ShinyHunters has claimed responsibility for a major breach of CarGurus, the U.S.-based online automotive marketplace, and published a dataset containing personal information tied to more than 1.7 million accounts after an apparent failed extortion attempt. The leaked archive, roughly 6.1 GB in size, is reported to include names, email addresses, phone numbers, physical and IP addresses, user account IDs, finance pre-qualification application data and dealer subscription information. CarGurus has not publicly confirmed the incident, but the breach has been added to Have I Been Pwned’s database.

63. Catalyst RCM, a U.S.-based medical revenue cycle management provider, confirmed that a ransomware-linked data breach first detected in November 2025 has impacted sensitive information it stored on behalf of healthcare clients. Between November 8 and November 9, 2025, an unauthorized actor used compromised credentials to access a secure file management system and copied data without permission. The compromised information may include names, dates of birth, payment card details, protected health information and insurance data for patients of clients such as Vikor Scientific (now Vanta Diagnostics), KorPath and KorGene, with regulatory filings indicating approximately 139,964 individuals were affected. The ransomware group Everest claimed responsibility on a dark web leak site.

64. WIRX Pharmacy has notified 20,104 individuals of a December 2025 cybersecurity incident that may have resulted in unauthorized access to protected health information. Upon discovering suspicious activity, systems were secured and an investigation was launched. A review of exposed files confirmed that personal and protected health information were present in the files on the compromised parts of its network. The affected data varies from individual to individual.

65. In California, Emanuel Medical Center started notifying current and former patients about a May 2025 security incident. Cybersecurity experts confirmed unauthorized access to the healthcare provider’s network in May, and that files containing personal and protected health information were present on affected systems. Data compromised in the incident varies from individual to individual.

66. Choice Hotels International disclosed that on January 14, 2026, a threat actor used a social engineering attack to gain unauthorized access to an internal application containing records related to franchisees and franchise applicants, despite multifactor authentication being in place. Choice detected the activity and shut it down in less than an hour, then determined through investigation that the accessed records included personal information such as names, contact details, Social Security numbers and dates of birth. The breach appears to be limited to franchisees and applicants rather than hotel guests. Regulatory notices have been filed in multiple U.S. states, though an exact total of impacted individuals has not been publicly disclosed. No ransomware group has claimed responsibility for the incident.

67. In Northern Ireland, Grange Dental Care fell victim to a cyberattack that resulted in fraudulent emails being sent from the practice’s system. The issue was identified quickly, and the practice’s IT provider was contacted immediately to prevent further damage. Certain information was accessed during the attack, but it appears that no sensitive data or personal information was compromised. Investigations remain ongoing.

68. The University of Mississippi Medical Center (UMMC) confirmed that it was hit by a ransomware attack that disrupted its IT network, taking down key systems including its Epic electronic medical records platform and forcing it to shut down clinics statewide and cancel elective procedures while recovery efforts continued. Officials worked with federal agencies including the FBI, CISA and DHS to respond to the incident and restore services. Hospital inpatient and emergency services remained operational using downtime procedures, but phone, email and electronic health systems were offline for days as teams assessed the damage, communicated with the attackers and rebuilt secure infrastructure. UMMC has since begun reopening clinics and rescheduling appointments more than a week after the attack, though the full scope of the breach and whether patient data was accessed has not been publicly disclosed.

69. The Grand Hotel in Taipei issued a warning to customers of a possible data breach after discovering unauthorized access to its information systems. Upon discovering the attack, the hotel disconnected affected systems, conducted a security review and notified relevant authorities to investigate the incident. The Gentlemen ransomware group claimed responsibility for the attack.

70. Wynn Resorts, the luxury casino and hotel operator, was targeted by the ShinyHunters cyber extortion group, which claimed to have stolen more than 800,000 employee records including sensitive personal information. ShinyHunters listed Wynn on its data leak site and demanded 22.34 BTC (about $1.5 million) to delete the data and prevent its public release, setting a deadline for the company to engage with its demands. The stolen records are reported to contain details such as names, Social Security numbers, phone numbers and other PII, though Wynn Resorts has stated its guest operations and physical properties were not impacted. ShinyHunters later removed Wynn’s listing from its leak site, which in some cases indicates negotiations or disputed claims.

71. 56,954 patients have been impacted by a cybersecurity incident involving Greater Pittsburgh Orthopedic Associates. Unauthorized third-party access to its IT network was discovered In August 2025, prompting an investigation into the incident. The forensic investigation determined that personal and health information was compromised during the attack. RansomHouse claimed responsibility for the attack.

72. Air Côte d’Ivoire, the flag carrier airline of Côte d’Ivoire, confirmed it was the victim of a cyberattack after parts of its information systems were breached on February 8. The airline activated its business continuity plans to ensure flights and operations continued normally while technical teams and national cybersecurity authorities investigated the incident. INC ransomware gang claimed responsibility, asserting it had stolen around 208 GB of data and set a ransom deadline, though the airline has not confirmed the exact volume or nature of the compromised information.

73. The French Ministry of Finance disclosed a cybersecurity incident that exposed data associated with approximately 1.2 million user accounts after a threat actor accessed the FICOBA database. An internal investigation determined that a hacker used stolen credentials to access the platform, which records all bank accounts opened by French financial institutions. Information including bank account details, account holder identities, physical addresses, and in some cases, taxpayer identification numbers, may have been compromised. At this time, those responsible for this incident have not been publicly identified.

74. In Thailand, the Sasin School of Management has launched an investigation into a recent cybersecurity incident impacting portion of its IT infrastructure. After detecting suspicious activity, the school took immediate steps to secure its systems and remove unauthorized access. The investigation remains ongoing, and at this stage there is no indication that critical data systems were breached. The Gentlemen ransomware group has claimed responsibility for the incident.

75. Qilin claimed responsibility for a cyberattack on the Transport Workers Union (TWU) Local 100, which represents tens of thousands of New York City transit workers and retirees, including subway, bus and ferry staff. Qilin added the union to its dark web leak site, alleging it had stolen 551 GB of sensitive information during the recent attack. While Qilin did not say how much information was taken or what files were involved, TWU Local 100 disclosed on its website its collection and retention of employees’ contact details, salary information, job titles, medical and insurance benefits, and retirement and pension planning information had been impacted.

76. UFP Technologies, a U.S.-based medical device and industrial component manufacturer, disclosed it was the victim of a cyberattack that disrupted parts of its IT environment and prompted the company to take affected systems offline as part of its response. The incident resulted in the encryption of certain data and temporarily impacted business operations while the organization worked with external cybersecurity experts to investigate and restore systems. UFP notified regulators and began reaching out to potentially affected customers, vendors and employees as part of the remediation process. No known ransomware group has claimed responsibility for this attack.

77. INC claimed responsibility for a cyberattack which caused disruption to the City of Cocoa in Florida. The city was forced to navigate a significant number of municipal IT issued that severely impacted local government operations. In response to the system failures, the City Council issued an emergency declaration and expedited the allocated of resources for system restoration and forensic investigation. INC added a number of leak documents to its leak site to substantiate the claims but did not give information on the amount of data allegedly exfiltrated.

78. In mid-February, the Qilin ransomware group listed Western Australia-based electronics retailer Esperance Communications on its dark web leak site, alleging it had stolen 14GB of data comprising more than 16,000 files. However, the group did not publish any screenshots or supporting documents to substantiate its claims.

79. Pathstone Family Office, a U.S.-based financial services firm, confirmed that it suffered a data breach after the ShinyHunters cybercriminal group published sensitive information on its leak site. According to the threat actor, the stolen dataset, consisting of 641,000 records, included financial documents and personally identifiable information tied to clients and employees, and was posted after the company reportedly declined to meet an unspecified ransom demand. While Pathstone acknowledged the incident and has been notifying affected individuals, it is working with cybersecurity specialists to assess the full scope of the exposure.

80. Hong Kong’s popular Ngong Ping 360 cable car attraction disclosed that it was the victim of a ransomware attack which resulted in the theft of personal data from its systems. The breach exposed information belonging to visitors who had purchased tickets online, including names, phone numbers, email addresses and payment card details, prompting the operator to report the incident to the Hong Kong Privacy Commissioner for Personal Data and offer support to those affected. Local authorities and cybersecurity experts were engaged to investigate the incident and strengthen defenses against future attacks.

81. Malaysia’s flag carrier Malaysia Airlines was listed by the Qilin ransomware group on its dark web leak site as a victim of a cyberattack, with the threat actor claiming to have exfiltrated sensitive data and threatening its public release unless negotiations take place. As of now, no proof or samples of stolen information have been published, and Malaysia Airlines has not officially confirmed the scope of the breach or what specific data, if any, was accessed.

82. 2,500 individuals have recently been notified of a ransomware attack on Apex Spine & Neurosurgery, which led to the compromise of their electronic protected health information. During the December attack, threat actors accessed its network and used ransomware to encrypt files. A forensic investigation confirmed that files were also accessed and copied during the incident. PII, PHI and some financial information was involved in the attack. Interlock ransomware group claimed responsibility for the attack, allegedly stealing 20 GB of data. Interlock proceeded to leak the stolen information as the ransom was not paid.

2026 opened with 91 publicly disclosed ransomware attacks. Healthcare was the most targeted sector with 27 incidents, followed by government with 11 and manufacturing with 10. Notably, 49% of the attacks recorded this month have not yet been publicly claimed by a known ransomware group. Among the claimed attacks, Qilin once again led activity with eight incidents, while 19 other groups were also linked to ransomware activity. The USA accounted for 58% of disclosed attacks, with organizations across 22 other countries also impacted, highlighting the truly global reach of ransomware.

Keep reading to find out who made ransomware headlines in January.

1. Kid’s footwear operator Esquire Brands was reportedly targeted by the Play ransomware group, which claims to have stolen sensitive company data. The group listed Esquire Brands on its dark web leak site and threatened to publish the data on January 3, 2026, if no contact was made. According to the post, the alleged data includes client documents, payroll records, financial information, and other confidential materials. Esquire Brands has not publicly acknowledged or commented on these claims.

2. Claims administration firm Sedgwick confirmed a cybersecurity incident at its government-focused subsidiary after the TridentLocker ransomware group publicly claimed responsibility for stealing approximately 3.4 GB of sensitive data. The affiliate, Sedgwick Government Solutions, which provides risk management and claims services to several U.S. federal agencies, was listed on TridentLocker’s dark web leak site on December 31, 2025, with the attackers threatening to expose the stolen information. Sedgwick said it activated incident response protocols, engaged external cybersecurity experts and notified law enforcement, emphasising that the breach was limited to an isolated file transfer system with no evidence of impact on broader systems or its ability to serve clients. 

3. U.S. hot sauce and food products manufacturer Garner Foods, known for brands like Texas Pete, was claimed as a victim by Play, which posted the company on its dark web leak site in early January 2026, warning it would publish allegedly stolen data if contact was not made by January 7. According to the Play dark web post, the alleged data includes confidential information, client records, budget and payroll details, though the extent of the compromise and volume of data taken has not been publicly verified. Garner Foods has not yet issued a public statement confirming or addressing the ransomware group’s claims.

4. New Zealand–based patient portal ManageMyHealth was the target of a significant ransomware attack, during which Kazu reportedly breached the platform, exfiltrating hundreds of thousands of sensitive medical records affecting over 120,000 users. The attackers demanded a ransom, reportedly around $60,000, and threatened to publicly release the stolen data. ManageMyHealth secured its systems, notified authorities and sought a High Court injunction to block dissemination of the files. ManageMyHealth publicly confirmed the cybersecurity incident, acknowledging the breach’s impact on a portion of its user base, and is working with law enforcement and regulators while notifying affected patients, although questions remain about the full scope and response to the compromise.

5. In Canada, Leduc County became aware of a ransomware incident that had taken place on December 25,2025. The attack disabled some of the county’s IT systems, including its email platform and website form submissions. Some other IT systems were proactively disabled during an ongoing forensic investigation. No known ransomware group has claimed the attack.

6. Florida-based engineering firm Pickett and Associates was reportedly the subject of a significant cyberattack in early January, with an unknown threat actor claiming to have stolen approximately 139 GB of sensitive engineering and infrastructure data tied to major U.S. utilities such as Tampa Electric Company, Duke Energy Florida, and American Electric Power. The group is offering the data for sale on a dark web forum for around 6.5 BTC (about $580,000). The alleged haul includes raw LiDAR point cloud files, orthophotos, design files and other operational project data believed to relate to active utility infrastructure work. Pickett and Associates has not publicly confirmed the breach, and investigations into the claim are reportedly underway by affected clients.

7. A recent cyberattack on third-party payment processor Global-e exposed personal data for customers of companies using its services, including hardware wallet maker Ledger. Hackers accessed names and contact information stored in Global-e’s systems for order processing, although neither Ledger’s internal systems nor sensitive wallet security details like recovery phrases or private keys were compromised. Affected customers have been notified. It is not yet known who is responsible for this attack. 

8. More than one year after a ransomware attack, Denton County MHMR Center, reported a major data breach that involved the unauthorized access to PHI of 108,967 current and former patients. Potentially compromised information includes medical history information, treatment information, insurance data and biometric identifiers.

9. U.S. fiber broadband provider Brightspeed is investigating claims by the cybercriminal group Crimson Collective that it accessed and exfiltrated sensitive data for over 1 million customers, including names, contact details, billing information and partial payment card data. The group announced the alleged breach via its Telegram channel in early January with a threat to release or sell the information publicly, posting sample records as purported proof. Brightspeed has not confirmed a breach of its systems or the extent of any data exposure and says it is actively reviewing the situation and keeping customers and authorities informed as its internal investigation continues.

10. Everest claimed that it had exfiltrated approximately 186 GB of sensitive data from global insurtech platform Bolttech, threatening to publish the information if its demands were not met. The group posted alleged proof on its dark web leak site, stating the data includes employee and agent account details, customer contact information, insurance policy records, mortgage-related files and other operational materials. Bolttech has not publicly confirmed or commented on the claims.

11. Australian car rental excess insurer Prosura disclosed a significant data breach and cyber incident after unauthorized access to parts of its internal IT systems was detected on January 3. The threat actor responsible for the incident obtained customer personal and policy information and began contacting customers with fraudulent communications. The compromised data is reported to include names, email addresses, phone numbers, travel and policy details, and, for some claimants, driver’s licence images, with attackers subsequently posting samples of the stolen records on criminal forums and attempting to sell them. Prosura took key online services offline, notified regulators and external cybersecurity experts, advised customers to be cautious of phishing attempts, and said it is investigating and securing its systems, emphasizing there is no evidence that payment card details were accessed.

12. Gulshan Management Services confirmed that it had notified 377,082 people about a September 2025 data breach that compromised personal information. The gas station operator informed victims that a successful phishing attack allowed unauthorized access to its systems. The unknown attackers also encrypted portions of GMS’s network. Compromised information includes names, SSNs, credit and debit card numbers, driver’s license numbers, and contact info. 

13. ASX-listed gold producer Regis Resources confirmed it had experienced a cybersecurity incident after the Lynx group claimed responsibility for an attack and listed a subsidiary, McPhillamys Gold, on its dark web site. Regis stated the activity was detected in November 2025 and that its security controls responded as designed, with a subsequent forensic investigation finding no evidence of data exfiltration and no ransom demand. The company said relevant authorities were notified and confirmed the incident had no material impact on operations or commercial activities.

14. Anubis ransomware group claimed that it had breached the systems of Australian medical clinic Laidley Family Doctors, listing the practice on its dark web leak site and alleging exposure of sensitive information. According to the group, data such as names, gender, Medicare details, and medica history, was compromised during the incident. Data samples were also shared on the dark web as proof of claims. Laidley Family Doctors has not publicly confirmed or commented on the ransomware claims.

15. Lynx claimed responsibility for a cyberattack on St Joseph’s College Echuca, posting the Australian Catholic co-educational school on its dark web leak site and asserting it had encrypted or breached the college’s network and obtained data. According to the group’s listing, the incident was disclosed on January 5, though no proof was provided and the full details of any data compromise remain unclear. St Joseph’s College Echuca has not publicly responded to or confirmed the ransomware claims.

16. Bosch Choice Welfare Benefit Plan disclosed a data breach after unauthorized access to its systems exposed sensitive personal and health information of approximately 55,000 individuals. Compromised information included names, SSNs, DOBs, health insurance details, medical claims data and information related to medical conditions. 

17. Pearlman Aesthetic Surgery reported a breach of protected health information of 11,764 individuals. The specifics of the breach have not yet been disclosed, other than it being a hacking/IT incident.

18. Associated Radiologists of the Finger Lakes announced that it had identified unauthorized access to its computer network in October 2025. An investigation confirmed unauthorized access led to patient data being viewed or copied. The file review is currently ongoing but at this stage it is believed that both PII and PHI were compromised as a result of the incident.

19. Andover Eye Associates in Massachusetts announced that it experienced an email security incident that exposed the data of 1,638. An investigation confirmed that an unauthorized third party had accessed the accounts in May, leading to the exposure of sensitive information. The accounts contained patient names and social security numbers. It is not clear who is responsible for the attack.

20. Legal firm Gorlick, Kravitz & Listhaus announced that a September 2025 data breach had compromised sensitive personal information belonging to its clients. Information impacted varies depending on the individual, but names and SSNs were among the data types stolen. Akira claimed responsibility, allegedly exfiltrating 22 GB of data from the organization. 

21. Qilin claimed responsibility for a cyberattack on Italian water-sports equipment manufacturer Cressi, posting the company on its dark web leak site on January 8, 2026 and threatening to release sensitive data unless contact was made. According to the public listing, Qilin alleges it breached the organization’s systems, though it has not published data samples or detailed what information may have been accessed, and the extent of any exfiltration remains unclear. Cressi has not publicly confirmed or addressed these claims.

22. Details of a November attack on Royal Borough of Kensington and Chelsea Council in London emerged detailing an attack that affected shared IT systems with neighbouring councils, leading to widespread disruption of services and confirmed unauthorized data copying by the attackers. The council acknowledged that some sensitive information was copied and taken from its network, with investigations ongoing to determine the full scope of the breach and whether personal or financial details were involved. Residents were warned to be vigilant against potential scams using the compromised information. The incident prompted notification of the Information Commissioner’s Office, involvement of the National Cyber Security Centre and Metropolitan Police, and communication to more than 100,000 households about possible risks stemming from the breach.

23. The Pell City School System informed parents of a data breach stemming from a ransomware attack in late 2025. The superintendent said the district’s student information system was not impacted, though a third-party vendor experienced a security incident that resulted in data theft. While the district has not provided further details about the information involved, it confirmed in its parent notification that it will not pay the ransom. The Safepay ransomware group claimed responsibility for the attack in December 2025 but did not release additional details about the breach.

24. Hale Makua Health Services, a non-profit healthcare provider based in Maui, Hawaii, reported a ransomware related data breach to the U.S. Department of Health and Human Services after the Qilin ransomware group claimed responsibility. The group alleged it had accessed the organization’s systems and posted sample screenshots on its dark web portal as proof of access. The specific types of information exposed have not been publicly detailed. The HHS breach listing currently reflects a provisional figure of 500 affected individuals, which is expected to be updated following the completion of an internal investigation.

25.  Anubis ransomware group publicly claimed responsibility for a cyberattack against Chilean energy and resources company Copec S.A., alleging it exfiltrated a substantial volume of corporate data, threatening to release the information unless negotiations occurred. According to the group’s posts, roughly 6 TB of sensitive data was taken and included internal documents, communications and employee-related files, though these claims have not been independently verified. Copec acknowledged the incident and said it detected and contained the activity without impacting operations or customer personal data, but details about the scope of the alleged data compromise remain unclear as the situation continues to be investigated.

26. The City of Midway, Florida, confirmed that its police department’s SmartCOP cloud-based records system was compromised in a ransomware incident, disrupting access to police documents and public records and prompting an ongoing investigation by local law enforcement. Officials said the breach may have affected sensitive public records and warned residents to be cautious of suspicious communications that could be tied to the incident, though details about what specific data was impacted have not been disclosed. The situation came to light after community members reported difficulties obtaining records, and authorities are urging vigilance while the investigation continues.

27. A class-action lawsuit alleges that premier Manhattan plastic surgeon Dr Richard Swift’s office was compromised in an apparent malware attack that resulted in the theft and public posting of highly sensitive patient information, including nude images, Social Security numbers, medical and financial records, and other personal data for at least 22 individuals on a Russian-hosted website. According to court filings, some patients only discovered their private images had been published after the hackers contacted them directly, and the suit claims the surgeon’s office failed to notify patients or authorities about the breach as required by law, leaving victims exposed to risks of identity theft, fraud and emotional distress. Plaintiffs allege the practice’s computer systems were inadequately protected, that multiple requests for information were ignored, and that the website remained active for months before it went offline, with the surgeon’s office declining to comment when contacted for a response.

28.  Everest ransomware group claimed responsibility for a major cyberattack on Japanese automaker Nissan Motor Corporation, alleging it exfiltrated approximately 900 GB of internal data from the company’s systems and posting sample screenshots on its dark web leak site to support the claim. According to analysis of the shared samples, the alleged data includes internal documents such as dealership records, program files, and operational folders, and the group has reportedly given Nissan a deadline to respond before publishing the full dataset publicly. Nissan has not publicly confirmed or denied the breach claim.

29. The nonprofit behavioural healthcare organization The Devereux Foundation was reportedly targeted by The Gentlemen ransomware group, which claimed to have breached its systems, posting an extortion notice on a dark web forum, warning that sensitive organizational data could be leaked unless contact was made. According to public breach notifications, the foundation detected suspicious activity and moved quickly to isolate affected systems and engage cybersecurity specialists, and it acknowledged that information related to employees, clients, donors, payors and partners may have been involved, including names, demographic, clinical and financial details. The investigation into the scope of the incident is ongoing. 

30. The University of Hawaii Cancer Center suffered a ransomware attack that compromised servers supporting its research operations, resulting in the encryption of files and unauthorized access to sensitive research data, including documents containing Social Security numbers and other personal information of study participants. The centre said the breach did not affect clinical operations or medical treatment systems, and it engaged external cybersecurity experts to isolate affected systems, obtain decryption tools and work toward securing the destruction of data accessed by the attackers. 

31. Six months after the initial attack, Canopy Health notified some patients of a cyberattack which led to patient details being compromised. A statement from the healthcare provider confirmed that in mid-July unauthorized individuals gained access to part of its systems used by the administration team. While an investigation remains ongoing, Canopy noted that the threat actors may have accessed a small number of bank account numbers. 

32. South Korean conglomerate Kyowon Group, which operates across education, publishing and consumer services, confirmed it was hit by a ransomware attack that disrupted operations and may have exposed customer data, prompting an ongoing investigation with national authorities and external cybersecurity experts. Government investigators estimate that the incident could potentially affect up to 9.6 million user accounts, with abnormal activity detected across a large portion of the company’s servers and signs of a possible data leak under review. Kyowon has stated it is assessing the scope of the breach and has not yet confirmed whether personal data was actually accessed, and it plans to notify users transparently if a leak is verified. 

33. Avosina Healthcare Solutions confirmed that it notified 44,425 people of a July 2025 data breach that compromised names, addresses, medical info, and health insurance info. Qilin took credit for the incident in August, posting sample images as proof of claims on its dark web leak site. These images included an employee payslip, a medical intake form, a business contract, an invoice, and a medical report. 

34. Dublin Medical Center in Georgia recently started notifying individuals affected by an October 2025 cybersecurity incident. Suspicious activity was identified within its computer network, but it has not been confirmed when the unauthorized access started. The review of files confirmed that patient data was compromised in the incident, and that data types varied from individual to individual. The incident has impacted 32,090 patients. 

35. Vida Y Salud-Health Systems reported a data breach involving the unauthorized access to protected health information of 34,504 Texas residents. An investigation into the October attack has concluded and confirmed that names, addresses, dates of birth, SSNS, driver’s license numbers, account numbers and claims numbers had been stolen. 

36. An unknown threat actor posted claims on dark web forums that they had obtained and were offering for sale internal data from U.S. retail giant Target, including an estimated 860 GB of source code, system configuration files and developer documentation tied to critical internal projects such as digital wallet services, networking tools and identity systems. Sample data was briefly made available in public repositories to demonstrate access before those resources were taken offline, and Target reportedly restricted access to its internal development infrastructure in response. The company has not publicly confirmed a breach or addressed the claims directly.

37. Appalachian Community Federal Credit Union notified 30,797 individuals about an October 2025 data breach. The breach compromised names, SSNs, and financial account info. Qilin took credit for the incident and claimed to have stolen 75 GB of data.

38. The Department of Education in Victoria, Australia confirmed that an unauthorized third party gained access to its education network, exposing personal information for current and former government school students across the state’s system. Attackers accessed student names, school-issued email addresses, year levels, school names and encrypted passwords stored in a central database, prompting the department to implement safeguards, temporarily disable affected systems and reset all student passwords as a precaution. The department said there is no evidence the accessed data has been publicly released or shared. Authorities, including the Office of the Victorian Information Commissioner, are now investigating the breach.

39. European travel company Eurail B.V., which operates the Interrail and Eurail pass systems, disclosed a data security breach in which unauthorized access to its customer database resulted in the exposure of sensitive personal and travel information. The compromised information is reported to include names, contact details, home addresses, dates of birth and, for some travellers, particularly participants in the EU’s DiscoverEU programme, passport details, bank account references and health data. The total number of affected individuals has not been disclosed and there is currently no evidence the data has been publicly misused. Eurail said it secured the affected systems, engaged external cybersecurity specialists and notified relevant data protection authorities while continuing its investigation and directly informing impacted customers.

40. Belgian hospital network AZ Monica was hit by a ransomware attack that forced the proactive shutdown of its IT servers, disrupting access to electronic medical records and leading to the cancellation of scheduled procedures and the transfer of critical patients to other hospitals as a precaution. With emergency departments operating at reduced capacity and paper-based processes in place, hospital leadership emphasised that patient safety and continuity of care remained the top priority while authorities and cybersecurity teams investigate the incident. There is no confirmed public disclosure that patient data was exfiltrated, and unverified reports of a ransom demand have not been confirmed by officials.

41. In Texas, Spindletop Center notified victims of a September 2025 ransomware attack which led to personal information being compromised. The attack rendered systems and servers inoperable for a limited time. Rhysida claimed to have stolen personal records belonging to 100,000 people, posting images on its dark web site as proof of claims, and demanding a ransom of 15 BTC (around $1.65 million). 

42. The Land and Agricultural Development Bank of South Africa (Land Bank) experienced a major IT systems disruption that took key services and internal systems offline as the organization investigated a suspected cyber incident affecting its operations. The bank said affected systems were taken offline as a precaution to protect its infrastructure and that internal teams, supported by external specialists, were working to restore full functionality and assess the cause of the outage. It is not yet clear if any information has been stolen during the incident. 

43. Ju Teng International Holdings Limited disclosed a data security incident after discovering a post on a dark web forum offering access to sensitive information reportedly obtained through a cyberattack targeting certain company laptops. Compromised data is said to include client names, project details, customer and supplier contact lists, and product information, and the company has launched an investigation and engaged cybersecurity specialists to assess the full scope and strengthen its security posture. INC was responsible for the attack, claiming to have stolen 200 GB of data. 

44. The Irish agri-trading company J Grennan & Sons was listed as a victim by the Akira ransomware group, with the threat actors claiming on a dark web leak site that it had targeted the business, threatening to publish sensitive financial and personal information, including invoices and employee and customer records. J Grennan & Sons confirmed it was the victim of a cyberattack that significantly disrupted operations and engaged external cybersecurity experts, and said it is “reasonably confident” that data held on its systems had not been accessed.

45. Spanish energy provider Endesa, one of the country’s largest electricity and gas companies, confirmed that it detected unauthorized access to its commercial platform, resulting in the exposure of customer personal and contract-related information and triggering an ongoing cybersecurity investigation. A threat actor on dark web forums claimed to have obtained a large database, allegedly over 1 TB of data tied to more than 20 million individuals, including names, contact details, national identity numbers, energy contract information and, in some cases, bank IBANs. 

46. Genesis claimed responsibility for a December 2025 ransomware attack on Upper Township, New Jersey. Genesis claimed to have stolen 100 GB of data from official servers, threatening to publish it if an undisclosed ransom was not paid. The data is said to include financial and personal information. Township officials claim that an investigation into the incident is ongoing, but that they are aware of the data posted on the dark web. 

47. U.S. food delivery platform Grubhub confirmed that hackers gained unauthorized access to certain internal systems and stole company data, prompting an ongoing investigation and involvement of law enforcement and external cybersecurity specialists. The company said that while financial information and order histories were not affected, attackers did extract data from some systems.  Sources have indicated the ShinyHunters group is attempting to extort Grubhub by threatening to leak Salesforce and Zendesk-related information unless they are paid a ransom. Grubhub responded by stopping the activity, strengthening its security posture and working to contain the incident, but has not disclosed the full extent or specific nature of the compromised data.

48. The Port System Authority of the Central Adriatic Sea (Ancona) was hit by a cyberattack that resulted in data theft and publication on the dark web. The Anubis ransomware group exfiltrated approximately 56,000 files across 8,000+ folders, including internal administrative documents and employee-related data (potentially HR and sensitive records). The Authority stated the stolen material represented roughly 2% of its overall data, and the incident occurred during a broader IT migration to Italy’s national strategic infrastructure.

49. Qilin ransomware group publicly claimed responsibility for a cyberattack on Moen, the U.S.-based manufacturer of faucets and plumbing fixtures, posting the company on its dark web leak site and warning that sensitive data would be released unless contact was made. Qilin has not disclosed how much data it may have exfiltrated nor released any sample files alongside its listing. Moen has not publicly addressed the claims. 

50. NightSpire ransomware group claimed it breached systems at the Hyatt Place Chelsea New York hotel, alleging it exfiltrated roughly 48.5 GB of sensitive data and posting samples on a dark web leak site to support its claim. Stolen files reportedly include internal documents such as invoices, expense reports with employee names and contact information, signatures, partner company data and potentially employee login credentials. 

51. Chinese electronics manufacturer Luxshare, a key assembler for major tech companies including Apple, Nvidia and Tesla, was reportedly the target of a ransomware attack orchestrated by RansomHouse. The ransomware group claimed to have infiltrated its systems, stealing more than 1 TB of confidential data, including engineering files such as 3D CAD models, circuit board designs, internal product documentation and employee personal information. According to threat actor posts on dark web leak sites, the stolen data spans projects tied to multiple high-profile clients and could enable reverse-engineering, production of counterfeit products or targeted attacks. Neither Luxshare nor affected partners have publicly confirmed the breach or commented on the claims.

52. TotalEnergies is investigating claims of a large-scale data breach after a hacking group began posting samples of what it says is a database of nearly 184 million customer records on social media and cybercrime forums. The attackers assert the exposed information includes email addresses, client IDs, bank account numbers, home addresses, phone numbers and other personal details tied to customers of the French energy giant’s services. TotalEnergies has not confirmed a breach or validated the data, and the full scope and authenticity of the alleged incident remain under review.

53. A serious cyberattack caused an extended closure at Higham Lane School in the UK and, while the school has since reopened, staff continued to face significant limitations in accessing IT systems. The incident disabled core digital infrastructure, preventing the school from operating essential safety and administrative systems. It was also confirmed that data was removed during the attack, although the school has not disclosed what types of information may have been impacted.

54. Imperial Beach Community Clinic recently disclosed a cybersecurity incident and data breach that was identified almost one year ago. Unusual activity was detected within the healthcare provider’s email environment in mid-April 2025. An investigation determined that an unauthorized individual had access to certain email accounts, and certain information had been acquired. Compromised data includes both PII and PHI of an undisclosed number of individuals. 

55. In Wisconsin, Valley Eye Associates announced that it fell victim to a ransomware attack in early October 2025. An investigation determined that a ransomware group had access to its network for a one-day period, during which time files were exfiltrated from its network. Qilin claimed responsibility for the attack and published the stolen data which they claimed to be 139 GB. 

56. The Canadian Investment Regulatory Organization (CIRO), Canada’s national self-regulatory body for investment dealers and market activity, confirmed that a sophisticated phishing attack led to a significant data breach affecting approximately 750,000 Canadian investors, with threat actors accessing and copying sensitive personal and financial information. Stolen data includes dates of birth, phone numbers, annual income, social insurance and government-issued ID numbers, investment account numbers and account statements. CIRO said it contained the incident, engaged external forensic experts, found no evidence the stolen data has been misused or appeared on the dark web.

57. The Ayuntamiento de Beniel (Beniel Town Hall) in Spain experienced a serious cybersecurity incident that temporarily knocked its municipal IT systems offline, disrupting regular administrative operations and forcing staff to work manually while services were restored. Local officials activated security protocols and are working with regional and national cyber authorities to investigate the extent and impact of the breach, though details about any specific data compromise have not been disclosed. The Gentlemen ransomware group claimed responsibility and threatened to publish sensitive information unless contact was made.

58.  Everest claimed responsibility for a cyberattack on ASRock Rack, a major server and datacenter hardware manufacturer, alleging it exfiltrated approximately 509 GB of sensitive data including technical documentation, firmware, software, BIOS files, diagnostic tools and baseboard management controller (BMC) firmware. The listing on Everest’s dark web leak site also included screenshots posted as proof of claims. ASRock Rack has not issued a public confirmation or detailed response to the claims.

59. Reproductive Medicine Associates of Michigan (RMAM) informed patients of a recent cyberattack in which unauthorized threat actors accessed its network and stole sensitive data. The organization identified suspicious activity and took immediate steps to secure its IT environment. The specific types of information affected have not yet been confirmed, and the investigation into the scope of the incident is ongoing.

60. Indian music streaming platform Raaga confirmed a major data breach in which unauthorized access to its systems resulted in the exposure of personal information for approximately 10.2 million users, with the stolen dataset subsequently offered for sale on underground cybercrime forums. The compromised information reportedly includes email addresses, names, gender and age details, geographic location data and passwords hashed using unsalted MD5. Raaga has not released detailed disclosures about how the breach occurred or what specific systems were affected.

61. The Minnesota Department of Human Services started notifying nearly 304,000 individuals after unauthorized access was identified within its MnCHOICES system. An investigation determined that for most of the individuals affected, stolen information was limited to demographic data.  For 1,206 individuals, additional information was accessed, including some medical details. No known threat actors have stepped forward to claim responsibility for the incident. 

62. Genesis added Advanced Family Surgery Center (AFSC) to its dark web leak site, claiming to have exfiltrated 100 GB of data. Compromised data allegedly includes healthcare data, financial data, operational data and personal information. A file tree was also added to the dark web post, listing files in the exfiltrated data. According to the threat actors, AFSC was made aware of the incident in late November, with a spokesperson even showing up to negotiate at one point. AFSC has not publicly addressed these claims. 

63. Dermatology Associates in Kentucky announced that an August 2025 security incident may have resulted in unauthorized access to patient data. An investigation into the incident confirmed that the unauthorized access over a two-month period resulted in the exposure of confidential information. It is not known who is responsible for the attack. 

64. Everest ransomware group claimed responsibility for a major breach targeting McDonald’s India, alleging the exfiltration of approximately 861 GB of sensitive data, including internal company documents and personal customer information such as contact details and business records. The attackers published samples on a dark web leak site and set a deadline for a response before threatening wider data release. McDonald’s India has not yet publicly confirmed the incident.

65. Technology company Paylogix announced it had experienced a data breach in which sensitive personal information may have been compromised. The organization experienced network disruption involving certain computer systems. Akira claimed responsibility for the attack, allegedly exfiltrating 185 GB of data. 

66. French authorities launched a preliminary investigation after a cyberattack on Waltio, a cryptocurrency tax reporting platform used by thousands of investors. Hackers believed to be the group Shiny Hunters accessed and attempted to extort data tied to approximately 50,000 users, including email addresses and summary information from 2024 tax reports such as crypto holdings and balances, although Waltio says sensitive credentials and funds were not compromised.

67. Dresden State Art Collections suffered a targeted cyberattack that disrupted large parts of its digital infrastructure, severely limiting online services like ticketing, visitor support and the museum shop. While physical security systems and museum operations remained intact, digital and telephone systems were largely offline as IT and forensic teams worked to restore services, and investigations continue in coordination with police and state authorities. Details on data theft or specific exfiltrated information have not been disclosed, and the identity of the attackers remains unknown.

68. Rogers Capital Credit, a financial services firm in Mauritius, suffered a data breach during which customer information was obtained and published on the dark web. The exposed records, primarily dating up to December 2022, include highly sensitive personal data such as copies of passports and national ID cards, proof of address, income documentation, and for some clients, banking, credit and civil status information. The Bank of Mauritius has warned the public to exercise vigilance, monitor financial accounts closely, and be alert for potential fraud and phishing attempts as the full scope of the incident continues to be assessed. The Gentlemen ransomware group claimed responsibility for this attack.

69. Nike is investigating a potential data breach after the cybercrime group WorldLeaks publicly claimed to have stolen and leaked approximately 1.4 TB of internal data from the company, including more than 188,000 files related to product design, manufacturing, supply chain and operational information. While Nike has confirmed it is assessing the situation, emphasizing its commitment to data security, it has not yet verified the full scope or confirmed whether customer or employee personal data was exposed.

70. The New York-based Civil Service Employees Association confirmed that a data security incident it experienced last year compromised the sensitive personal information of 47,352 individuals. Upon discovering the unauthorized activity, CSEA took immediate action to secure the network, while notifying relevant law enforcement authorities. The compromised data includes names and other personal identifiers such as SSNs. No known hacker group has claimed responsibility for the attack. 

71. Columbia Medical Practice confirmed that patient information was compromised during a ransomware attack in November 2025, exposing the sensitive personal and medical data of up to 3,000 individuals. Threat actors exfiltrated data before deploying malware that encrypted files on certain systems. Columbia Medical Practice stated that its electronic medical record system was not accessed during the incident. Qilin took credit for the attack. 

72. MACT Health Board notified individuals affected by a November 2025 security incident which caused disruption to its IT systems. An investigation confirmed that an unauthorized third party had accessed its computer network and exfiltrated sensitive patient information. Rhysida claimed responsibility for the attack and uploaded samples of identity documents to its leak site as proof of claims, demanding a ransom of 8BTC ($622,000). 

73. TriCity Family Services started notifying 2,511 patients about a data security incident which took place in Spring 2025. An investigation revealed that an unauthorized threat actor had access to its computer systems for around 6 months, during which time sensitive data was exfiltrated. INC took credit for the attack, claiming to have exfiltrated 22 GB of data from the healthcare provider. 

74. Enviro-Hub Holdings Ltd. disclosed that it was the victim of a ransomware attack, during which an unauthorized party gained access to its group servers. The company implemented containment and remediation measures and engaged external experts to investigate the incident, which has not yet been determined to have materially impacted operations, and is still assessing the scope of any data accessed or exfiltrated. Enviro-Hub has also reported the incident to Singapore’s Personal Data Protection Commission as part of its ongoing response.

75. Laurel Health Centers confirmed that an unauthorized third party accessed portions of its email environment in July 2025, potentially exposing sensitive patient information. An examination of affected email accounts found that data, including both PII and PHI, were viewed. The data involved varies by individual.  At this time, no ransomware group has claimed responsibility for the attack. 

76. Rhysida took credit for a November 2025 ransomware attack on Cytek Biosciences in California. The organization sent data breach notices to 331 people in November, alerting them to the fact that personal information was exposed during the incident. Rhysida added Cytek to its leak site, with a number of images posted as proof of claims. The dark web post now states that all of the data taken during this attack has been sold. 

77. Apparel company FullBeauty Brands confirmed that it notified at least 1,191 people of an October 2025 data breach that compromised names and SSNs. Everest took responsibility for the incident in mid-November and intentionally leaked all of the supposedly stolen data on its dark web site after FullBeauty failed to respond to the ransom deadline. 

78. Clop ransomware group claimed responsibility for a cyberattack targeting Hilton Hotels, posting the hospitality giant on its dark web leak site. Clop has not backed up the claim with evidence such as data samples and has not disclosed how much data was allegedly exfiltrated. Hilton has stated it has no evidence that its systems or data were compromised. The situation remains under investigation, and Hilton continues to assess any potential impact.

79. Nova ransomware group has claimed responsibility for a cyberattack on KPMG Netherlands, listing the firm on its dark web leak site and threatening to publish up to 500 GB of allegedly stolen data if ransom demands are not met. The group reportedly posted the claim on 23 January 2026, stating it had exfiltrated sensitive information and issuing a 10-day ultimatum for negotiations. KPMG has denied that its systems were compromised and says it is monitoring the situation, meaning the scope and authenticity of the alleged breach remains unverified while investigations continue.

80. It was revealed that individuals who received services from Mitchell County Department of Social Services have had their sensitive information stolen in an October ransomware attack. The attack encrypted files and caused email and phone outages for a number of days. A forensic investigation revealed that there had been unauthorized network access for four days in October, during which time files were exfiltrated. The data review and investigation remain ongoing to determine the types of information involved and the individuals affected.

81. Sanxenxo City Council in Spain has been hit by a cyberattack that encrypted data and compromised thousands of administrative documents, disrupting municipal operations. The attackers reportedly demanded a ransom of $5,000 in Bitcoin in exchange for releasing the encrypted files, but the city has indicated it plans to recover without paying.

82. Crunchbase has confirmed a data breach after the ShinyHunters hacking group leaked millions of records online. The exposed information included usernames, email addresses, hashed passwords and API keys, and was first posted on cybercrime forums before being shared more widely. Crunchbase says it has reset compromised credentials, notified affected users, and implemented additional security measures.

83. Russian security systems provider Delta, which manages alarm and vehicle security services, was hit by a large-scale cyberattack that caused widespread service outages across its home, business and car alarm platforms. Delta acknowledged the incident as a “large-scale, coordinated and well-organized” external attack and said its technical teams are working to restore systems after phone lines and its website went offline. Customers reported being unable to deactivate alarms or unlock vehicles, and some experienced vehicle systems malfunctioning due to the disruption. While Delta maintains no customer personal data has been confirmed leaked, an anonymous Telegram channel claiming to be linked to the attackers published an alleged stolen data archive. 

84. 360 Dental in Philadelphia reported a data breach that affected 11,273 individuals. A ransomware attack in November led to the encryption of files and the exposure of sensitive patient data. The types of data involved varies from individual to individual and includes names in combination with other PII and PHI. 

85. Langley Twigg Law, a New Zealand law firm, is investigating a cyberattack attributed to Anubis after the hackers posted employee and client passport scans and other sensitive documents on an underground forum. The breach involved unauthorized access to its systems and theft of personal identity information, prompting the firm to engage forensic experts, notify authorities and affected individuals, and take systems offline while it works to contain the impact.

86. Auckland-based Brinks Poultry Ltd has allegedly been hacked by the Clop ransomware group, with the threat actors claiming to have stolen internal company data and listing the business on Cl0p’s dark web leak site. The incident reportedly involved unauthorized access and exfiltration of internal documents, and attackers are using extortion tactics to pressure the company into contacting them. Brinks Poultry is currently assessing the scope of the breach, engaging cybersecurity experts, and working to contain and remediate the incident.

87. Winona County, Minnesota, experienced a ransomware attack that disrupted several county systems, forcing the IT department to take multiple networks offline to contain the incident. The breach affected services including tax and motor vehicle systems, and the county confirmed it was working with law enforcement and cybersecurity partners to investigate the attack and restore operations. Officials have not disclosed whether any data was exfiltrated or if a ransom demand was made, but precautionary steps and extended service delays reflect the significant operational impact on local government systems.

88. The Vladimir Bread Factory, one of the largest bakery producers in its region of Russia, recently suffered a cyberattack that knocked out its internal digital systems, including office computers, servers and electronic document management tools. The disruption didn’t stop production itself, but it complicated order processing and deliveries, leading to temporary supply challenges for retailers and customers as the company reverted to manual processing while it works to restore systems.

99. The City of New Britain, Connecticut, was hit by a ransomware attack that disrupted internet, phone, and internal systems for more than 48 hours, forcing city officials to activate incident response protocols and work with state and federal authorities, including the FBI, to assess the impact and restore operations. Despite the disruption, emergency services and essential functions continued, and additional cybersecurity resources were brought in to investigate the incident, although it remains unclear if resident data was compromised.

90. The Tulsa International Airport in Oklahoma was reportedly hit by a Qilin ransomware attack, with the cybercriminal group posting leaked internal documents, including financial records, internal emails, and employee ID information, on its dark web leak site. It is not yet clear whether airport operations or customer data were directly affected.

91. In Slovenia, gas supplier Geoplin was hit by a ransomware attack orchestrated by Sinobi. The ransomware group demanded $8.2 million in exchange for an undisclosed amount of stolen data. The company and its owner confirmed that they had detected a cybersecurity incident and are taking the necessary measures in response. It is not clear what types of data were exfiltrated during the attack.