May saw 95 publicly disclosed ransomware attacks worldwide, affecting organizations across 17 countries. The United States remained the primary target with 54 attacks, while Australia experienced a notable uptick with 18 incidents. Healthcare was the hardest-hit sector, accounting for 28 attacks and continuing to be a prime target for ransomware groups. Qilin led all ransomware groups with 11 claimed victims, and with 37 different groups naming victims during the month, the ransomware ecosystem showed no signs of consolidation or slowing down.

Find out who made ransomware headlines in May:

1. Good Samaritan Health Center in Georgia has notified approximately 10,000 individuals following a ransomware attack on an internal server in February 2026. The organization isolated the affected server and successfully restored it from backups. While there is no confirmation that data was accessed or exfiltrated, the healthcare provider stated it could not rule out that possibility. Information stored on the compromised server included individuals’ names, dates of birth, ZIP codes, and limited clinical data.

2. Liberty Mutual is investigating claims by Everest ransomware group that it stole more than 108 GB of data containing policyholder information and insurance-related records. The threat actor alleged that the dataset includes customer names, addresses, policy numbers, and financial and insurance details, and published samples after a deadline for negotiations expired. Liberty Mutual stated that its initial investigation found no evidence of a compromise of its own systems and indicated the incident may be linked to a third-party vendor. The company continues to assess the scope and impact of the alleged breach.

3. Sydney-based property investment and management consultancy Prime Properties was listed as a victim by the emerging M3rx ransomware group. The threat actors claim to have exfiltrated approximately 100 GB of data comprising more than 81,000 files, although the company has not publicly confirmed the breach or the nature of any compromised information. According to reports, no ransom demand, payment deadline, or evidence of the alleged data theft has been disclosed.

4. The Standard-Examiner, a newspaper serving northern Utah, was listed as a victim by Qilin following reports of significant production difficulties that disrupted print deliveries in April. While Qilin claimed responsibility for a cyberattack and alleged it had compromised the organization, the newspaper has not publicly confirmed a ransomware incident, data theft, or any connection between the operational disruptions and the threat actor’s claim. As of the latest reports, no evidence of data exfiltration or details regarding potentially compromised information have been disclosed, and the incident remains unverified.

5. Hungarian media conglomerate Mediaworks confirmed it is investigating a cyber incident after WorldLeaks claimed to have stolen and published approximately 8.5 TB of company data. According to reports, the leaked files allegedly include payroll records, contracts, financial statements, and internal communications. Mediaworks acknowledged that a significant volume of data may have been obtained by unauthorized parties but has not verified the authenticity of all leaked materials. 

6. Hanover County Public Schools (HCPS) in Virginia disclosed that a malicious actor gained access to its network in March 2026 and attempted to deploy ransomware before being detected and removed. An investigation found that the attacker may have accessed sensitive personal information belonging to students, staff, and other individuals, including names, SSNs, financial account details, and government-issued identification information. While HCPS stated it has found no evidence that the information has been misused, the school district notified potentially affected individuals out of an abundance of caution and continues to work with cybersecurity experts and law enforcement to assess the full impact of the incident.

7. Instructure’s Canvas learning management platform suffered a major cyberattack, with ShinyHunters claiming to have stolen 3.65 TB of data affecting approximately 275 million students, teachers, and staff across nearly 9,000 educational institutions worldwide. The attackers alleged they accessed names, email addresses, student ID numbers, and private user messages, though Instructure stated there was no evidence that passwords, dates of birth, government identifiers, or financial information were compromised. The incident disrupted coursework and final exams at schools and universities globally, and Instructure later confirmed it had paid a ransom in an effort to prevent the stolen data from being leaked. While the company did not disclose the amount paid, cybersecurity experts have speculated that the attackers may have initially demanded as much as $10 million, although neither the ransom demand nor the final payment amount has been publicly confirmed.

8. Vergennes-based Basin Harbor Resort disclosed that it was impacted by a ransomware attack in October 2025 after threat actors gained unauthorized access to its computer systems and exfiltrated sensitive data. The compromised information included SSNs, government-issued identification numbers, financial account details, and payment card information. The incident affected approximately 3,150 individuals. In November 2025, Akira ransomware group claimed responsibility for the attack.

9. Australian luxury jewelry retailer Gregory Jewellers confirmed it was investigating a cyber incident after Kairos ransomware group claimed to have breached the company and stolen approximately 574 GB of data. The ransomware group listed the retailer on its dark web leak site and alleged they had exfiltrated a significant volume of internal information, although they did not publicly disclose the specific contents of the dataset. Gregory Jewellers acknowledged the incident and confirmed it was conducting an investigation to determine the validity of the claims and assess any potential impact. At the time of reporting, the company had not confirmed whether customer or employee information had been compromised, and the full scope of the alleged breach remained under review.

10. New Zealand electrical contractor McKay confirmed it was the victim of a cyberattack in January 2026 after being listed on the dark web leak site of the emerging Mnt6 ransomware group. The company said an unauthorized party gained access to a single internal device, prompting it to activate its incident response plan and quickly isolate and contain the breach. McKay stated that its core IT systems remained secure and operational throughout the incident, a finding that was independently verified by a third-party cybersecurity specialist. The company notified affected customers and relevant authorities, including New Zealand’s Office of the Privacy Commissioner and National Cyber Security Centre, while also obtaining a High Court injunction to restrict the disclosure of any potentially compromised data.

11. Jamaican conglomerate RJR Communications Group disclosed that it was targeted in a cyberattack that disrupted some of its systems and operations. The company said it immediately activated its incident response protocols, engaged cybersecurity specialists, and implemented containment measures to investigate and mitigate the incident. Shortly after the attack, LockBit claimed responsibility, listing RJR on its dark web leak site and issuing a 15-day deadline for the company to meet undisclosed demands. While RJR did not confirm any connection to LockBit’s claims or disclose whether data was accessed or stolen, it stated that business continuity plans were activated to minimize operational impact. The organization continues to assess the scope of the incident and monitor its systems as part of an ongoing investigation.

12. GS1 South Africa, the organization responsible for issuing and managing product barcodes across the country, denied claims by Stormous that it had suffered a data breach. Stormous alleged it had gained access to the organization’s systems and exfiltrated sensitive customer, employee, financial, and operational data, including information stored on SharePoint and SQL servers. However, GS1 South Africa stated that while it detected and contained an attempted malicious intrusion, its investigation found no evidence of unauthorized access, data exfiltration, ransomware deployment, or operational disruption. The organization said its security controls functioned as intended and described the threat actor’s claims as false.

13. Zona Ovest Torino, a public consortium serving several municipalities in the Turin metropolitan area, was reportedly targeted in a ransomware attack that disrupted access to its online services. According to reports, attackers encrypted systems and left a ransom note demanding payment within approximately two days, threatening that affected data could become permanently inaccessible if the deadline was not met. SafePay ransomware group later claimed responsibility for the attack and threatened to publish allegedly stolen information unless the organization entered negotiations. At the time of writing, officials had not confirmed whether data was exfiltrated, and the full scope of the incident remained under investigation.

14. German recycling and circular economy services provider Interzero disclosed that it was investigating a suspected IT security incident after a ransomware group publicly claimed to have breached the company and obtained corporate data. Interzero stated that it immediately engaged internal security teams, external forensic specialists, and relevant authorities to assess the situation and secure its systems. The company emphasized that it had not verified the attackers’ claims and had found no confirmed evidence that its systems were compromised or that personal or business data had been exfiltrated. Shortly before the disclosure, FulcrumSec claimed responsibility for the alleged breach, listing Interzero on its leak site and threatening to publish data unless the company entered negotiations. Interzero reported that its services and operational processes remained unaffected while the investigation continued.

15. Global commercial real estate services firm Cushman & Wakefield confirmed a limited cybersecurity incident stemming from a vishing attack after being listed by ShinyHunters. ShinyHunters claimed to have stolen more than 500,000 Salesforce records containing personally identifiable information and internal corporate data and gave the company a three-day deadline to respond to undisclosed ransom demands. Cushman & Wakefield acknowledged the incident, stating that it activated its response protocols, contained the unauthorized activity, and engaged third-party cybersecurity experts to support the investigation. While the company confirmed the breach originated from a social engineering attack, it did not verify the threat actors’ claims regarding the volume or nature of the allegedly stolen data and stated that its systems and operations remained fully functional throughout the response effort.

16. Australian home builder Champion Homes confirmed that customer information was compromised in a cyber incident after DragonForce ransomware group claimed responsibility for the attack. The company disclosed that an unauthorized third party accessed and exfiltrated data from its systems, with the affected information including customer names, contact details, identification documents, and other records provided during the home-building process. Champion Homes stated that it had contained the incident, engaged cybersecurity specialists, and notified impacted individuals. Meanwhile, DragonForce listed the company on its dark web leak site, claiming to have stolen 44 GB of corporate and customer data and threatening to publish the information if its demands were not met.

17. The City Council of Valdemoro, Spain, experienced a cyberattack that affected several municipal servers and temporarily disrupted access to public services, including the local website and internal administrative systems. Authorities activated cybersecurity protocols, isolated affected infrastructure, and launched an investigation with support from specialized technicians and law enforcement. While officials worked to restore normal operations, they stated there was no immediate evidence that citizen data had been compromised. Shortly after the incident, Kairos ransomware group claimed responsibility, alleging it had breached the municipality’s systems and obtained sensitive data, though these claims had not been independently verified at the time of reporting.

18. Anubis ransomware group claimed responsibility for a cyberattack against Colorado Dental Wellness Center, alleging it exfiltrated more than 115,000 files totaling approximately 86 GB of data before encrypting the organization’s servers. According to the threat actors, the stolen information includes sensitive patient and employee records, such as medical data, insurance documents, identification records, and other personally identifiable information. Anubis further claimed it gained access through the organization’s VPN, demanded an initial ransom of $270,000 that was later reduced to $200,000 during negotiations, and ultimately published the data after talks broke down. As of the latest reports, Colorado Dental Wellness Center had not publicly confirmed the attack or verified the group’s claims.

19. Healthcare software provider RXNT disclosed a data breach after an unauthorized actor gained access to one of its systems between March 1 and March 3, 2026, and obtained copies of patient data associated with multiple healthcare clients. According to the company, the compromised information included patient names, dates of birth, addresses, contact details, and patient identification numbers. RXNT notified affected customers in May and offered to manage breach notification requirements on their behalf while investigations continued. Subsequent reports revealed that the incident also exposed prescription information belonging to members of the U.S. Congress through the Office of the Attending Physician, including names, addresses, dates of birth, physician names, pharmacy information, and prescription records. The total number of affected individuals has not yet been publicly disclosed.

20. Qilin claimed responsibility for a cyberattack against Sysco, the world’s largest food distributor, listing the company on its dark web leak site and setting a May 12, 2026, deadline for undisclosed ransom negotiations. As proof of access, the ransomware group published screenshots of alleged internal documents and company data, claiming they had compromised Sysco’s network. While Qilin threatened to release additional information if its demands were not met, Sysco had not publicly confirmed a breach or disclosed any operational impact at the time of reporting.

21. Akira ransomware group claimed responsibility for a cyberattack against Switzerland’s Réseau Radiologique Romand (Groupe 3R), alleging it had stolen 48 GB of data containing sensitive patient information, employee identification documents, payment details, and corporate records. The attack occurred on April 30, 2026, and disrupted IT systems across the organization’s network of 20 medical imaging centers, forcing some patient examinations to be postponed or redirected to other facilities. Groupe 3R confirmed it had suffered a ransomware attack and reported reduced system availability but stated it was unable to determine whether any data had been accessed or exfiltrated. The organization notified Swiss cybersecurity authorities, filed a criminal complaint, and confirmed that it would not pay a ransom.

22. Energy Action is investigating claims that it was the victim of a cyberattack after SafePay listed the Australian energy management firm on its dark web leak site. According to the threat actors, approximately 470 GB of data was stolen during the alleged breach, and screenshots of purported internal documents were published as proof of access. The company acknowledged awareness of the claims and engaged cybersecurity specialists to determine whether its systems had been compromised. Energy Action had not confirmed any unauthorized access or data theft, and the full scope of the alleged incident remains under investigation.

23. Horizon Media confirmed it notified an undisclosed number of current and former employees about a January 2026 data breach after discovering that an unauthorized actor had accessed and exfiltrated sensitive personal information. The compromised data included names and SSNs, prompting the company to offer identity protection and credit monitoring services to affected individuals. On the same day the breach was disclosed, Chaos ransomware group claimed responsibility, alleging it had stolen 3.2 TB of data from the advertising giant and threatening to publish the information within 48 hours if its demands were not met. While Horizon Media acknowledged the breach and confirmed that employee information was compromised, it did not publicly verify the threat actor’s claims regarding the volume of data allegedly stolen.

24. The Académie de Montpellier, one of France’s largest regional education authorities, disclosed a cyberattack that resulted in the exposure of sensitive internal documents. According to reports, the leaked information included administrative records, internal correspondence, financial documents, and files containing personal data relating to employees and educational operations. MedusaLocker ransomware group claimed responsibility for the attack, alleging it had exfiltrated data from the organization and later published samples of the stolen files online. French authorities launched an investigation into the incident and worked to assess the scope of the exposure, while the academy implemented measures to secure affected systems and limit any further impact.

25. Empire Express notified 5,414 individuals that their personal information was compromised in a data breach stemming from a cybersecurity incident discovered in May 2025. According to the company, an unauthorized actor gained access to parts of its network between May 7 and May 11, 2025, and may have accessed files containing sensitive information. The exposed data varied by individual but included names, SSNs, driver’s license numbers, financial account information, and medical information. Following the incident, Empire Express launched an investigation, notified law enforcement, implemented additional security measures, and offered affected individuals complimentary credit monitoring and identity protection services.

26. A ransomware attack disrupted portions of Accretech America’s IT environment on May 4, 2026, prompting the semiconductor equipment manufacturer to disconnect affected systems and engage external cybersecurity specialists to investigate the incident. The company stated that its assessment was ongoing and that it had not yet determined whether any customer or employee information had been compromised. Shortly after the disclosure, AiLock ransomware group claimed responsibility for the attack, alleging it had obtained sensitive corporate data and threatening to publish the information unless its demands were met. Accretech continues to investigate the scope and impact of the incident while working to restore affected services.

27. Western Orthopaedics disclosed a data breach affecting 113,330 individuals after discovering unauthorized access to its network between September 17 and September 25, 2025. An investigation determined that files containing personal, financial, and protected health information may have been viewed or acquired, including names, addresses, phone numbers, SSNs, dates of birth, financial account information, health insurance details, medical provider information, dates of service, and billing records. Following the incident, the Colorado-based healthcare provider implemented additional security measures and offered affected individuals complimentary credit monitoring and identity theft protection services. PEAR later claimed responsibility for the attack and reportedly published the stolen data after ransom negotiations failed.

28. Community Health Systems disclosed a data security incident after detecting suspicious activity within its network in February. An investigation conducted with the assistance of third-party cybersecurity experts confirmed that an unauthorized party accessed portions of the network containing patient information. The compromised data varied by individual but may have included names, addresses, email addresses, phone numbers, dates of birth, SSNs, financial account information, driver’s license numbers, medical record numbers, treatment and diagnosis information, prescription details, health insurance information, Medicare and Medicaid identifiers, and medical billing records. The California healthcare provider stated that it is reviewing and enhancing its data protection policies and procedures, though the total number of affected individuals has not yet been disclosed.

29. Integrated Pain Associates is continuing to investigate the full scope of a data security incident after confirming that an unauthorized party accessed its network in February. The Texas-based pain management provider said patient information may have been accessed or acquired, including names, addresses, dates of birth, driver’s license numbers, SSNs, health insurance information, diagnosis and treatment details, medication information, provider names, and financial account information. While the review of affected files remains ongoing, the organization has implemented additional security measures and is offering complimentary credit monitoring and identity theft protection services to impacted individuals. The total number of affected individuals had not been reported.

30. Patients of Tri-Cities Gastroenterology began receiving breach notification letters after the Tennessee-based healthcare provider determined that files had been exfiltrated from its network during a cyberattack in December 2025. An investigation found that the stolen files contained personal and medical information, including names, SSNs, dates of birth, addresses, email addresses, telephone numbers, gender, and medical record numbers. Insomnia claimed responsibility for the attack shortly after the incident and later published the stolen data on its leak site, indicating that a ransom demand had not been met.

31. Qilin ransomware group claimed to have breached Spanish supermarket chain Ahorramas and published samples of allegedly stolen company data on its leak site. According to the group, the exposed information included employee and customer identification documents, financial records, tax information, payroll data, internal contracts, and store plans. The publication of the files suggests that data may have been exfiltrated from the company, although Ahorramas did not publicly confirm the breach or verify the authenticity of the leaked information. The full scope and impact of the alleged incident remained unclear.

32. Australian automotive parts importer Strategic Imports is investigating claims of a cyberattack after being listed on the dark web leak site of the Bavacai. The threat actors allege they stole data from the company and threatened to publish the information online. While Bavacai did not disclose how the alleged breach occurred, it published a file tree that it claimed showed the contents of the stolen data, including folders purportedly containing sensitive business and personal information relating to employees and customers. Strategic Imports acknowledged the claims and said it was investigating the matter but had not confirmed whether its systems had been compromised or whether any data had been accessed.

33. Hematology Oncology Consultants began notifying affected individuals following a September 2025 security incident that resulted in the likely exfiltration of personal and protected health information from its network. An investigation determined that the compromised data included names, medical records, health insurance information, and SSNs. The Michigan-based healthcare provider stated that it took immediate steps to secure its systems, launched a forensic investigation, and reported the incident to regulators. While the organization did not describe the event as a ransomware attack, Rhysida ransomware group claimed responsibility, alleging it had stolen the data and threatening to sell or publish the information if a ransom was not paid. The group later claimed to have sold a portion of the stolen data and leaked approximately 40% of the files allegedly exfiltrated during the attack. The total number of affected individuals has not yet been disclosed.

34. Trellix disclosed that an unauthorized party had gained access to a portion of its source code repository, prompting the cybersecurity firm to launch an investigation with the assistance of forensic experts and notify law enforcement. The company stated that there was no evidence the incident had affected its source code release process, customer products, or service delivery. Shortly after the disclosure, RansomHouse claimed responsibility for the intrusion and published screenshots that allegedly showed access to internal Trellix systems and management platforms. While the threat actors listed Trellix on their leak site, they did not disclose the type or volume of data allegedly obtained. Trellix said it continues to investigate the scope of the incident and assess the validity of the group’s claims.

35. A security incident affecting a limited number of customer accounts prompted Egnyte to launch an investigation and notify impacted users. The company determined that the unauthorized access resulted from credential-stuffing attacks using usernames and passwords previously exposed in breaches of other online services, rather than a compromise of Egnyte’s own infrastructure. INC extortion group claimed responsibility and published what it described as proof of access, alleging it had obtained data from affected accounts. Egnyte said its investigation found no evidence that its core platform or systems had been breached and maintained that the incident was limited in scope.

36. Serveis Mèdics Penedès, a healthcare provider in Spain, became the target of a SafePay ransomware attack, after the group claimed to have stolen 3 GB of data from the organization and threatened to publish it unless a ransom was paid. According to reports, the threat actors issued a 48-hour deadline and posted samples of the allegedly compromised information on their leak site as proof of their claims. The exposed files reportedly included personal, administrative, and healthcare-related documents. Serveis Mèdics Penedès has not publicly confirmed the breach or verified the authenticity of the leaked data.

37. Genesis claimed responsibility for a March 2026 data breach at CarePoint Health, an Ontario medical clinic, alleging it stole 70 GB of medical, operational, and financial data. CarePoint previously confirmed that the breach exposed client information, including names, medical information, addresses, phone numbers, and dates of birth. The clinic said it first learned of the incident on March 19 after being contacted by a threat actor claiming unauthorized access to its network and data and later confirmed that data had been stolen. CarePoint has not acknowledged Genesis’ claim, and the number of affected individuals, attack method, ransom demand, and whether any payment was made remain unknown.

38. Australian toy distributor KB Toys was listed on the dark web leak site of M3RX ransomware group, which claimed to have stolen 36,840 files totaling approximately 140 GB of data from the company. To support its allegations, M3rx published a text file containing what it said was a complete inventory of the exfiltrated documents, including invoices, sales records, and other business files dated as recently as 2026. The ransomware group did not disclose any ransom demand or deadline for the release of the data. KB Toys has not publicly responded to the claims or confirmed whether a breach had occurred.

39. American Lending Center confirmed it notified 123,158 individuals about a data breach stemming from a July 2025 ransomware attack. The California-based small business lender said threat actors compromised its internal network, deployed ransomware, and accessed files containing sensitive personal information, including names, SSNs, and dates of birth. The company stated that it has no evidence the exposed information has been misused and is offering affected individuals complimentary credit monitoring and up to $1 million in identity theft insurance. No ransomware group had publicly claimed responsibility for the attack at the time of reporting.

40. West Pharmaceutical Services disclosed that it was responding to a ransomware attack that disrupted parts of its IT infrastructure and affected certain operational activities. The company said it detected unauthorized activity on its network, activated incident response protocols, and took systems offline to contain the incident. While the organization did not disclose whether any data had been accessed or stolen, it warned that the attack had impacted some manufacturing, shipping, and administrative operations. The company stated that it was working with external cybersecurity experts and law enforcement to investigate the incident and restore affected systems, while implementing contingency measures to minimize disruption to customers.

41. Australian environmental and geotechnical consultancy Earth Systems was listed on the dark web leak site of INC, which claimed to have breached the company and stolen internal data. As evidence of its claims, the threat actor published screenshots of documents that appeared to include project information, corporate records, and employee-related files. INC did not disclose the volume of data allegedly obtained or provide details on how the breach occurred. Earth Systems acknowledged the claims and confirmed it was investigating the incident but has not verified the authenticity of the leaked material or confirmed that any data had been compromised.

42. Dutch healthcare laboratory Clinical Diagnostics has been criticized by regulators following a July 2025 ransomware attack that exposed the medical records of more than 850,000 women who participated in cervical cancer screening programs. The Dutch Health and Youth Care Inspectorate concluded that the laboratory failed to meet mandatory cybersecurity requirements, including conducting an independent security review and performing adequate risk assessments to identify and mitigate threats to sensitive data. The attack was carried out by Nova ransomware group, which reportedly demanded approximately €1.1 million in cryptocurrency and published samples of the stolen data despite receiving a ransom payment. The incident remains under investigation, with large-scale compensation claims reportedly being prepared on behalf of affected individuals.

43. Scope Systems confirmed it suffered a cyber incident that disrupted customer access to its Pronto Xi hosted environment, support portal, and other cloud-hosted services. The company engaged external forensic specialists to investigate the incident and restore affected systems, while keeping customers updated on recovery efforts. By May 9, Scope Systems said it had found no evidence of data loss or data exfiltration and had begun restoring services from backups. In a subsequent update, the company reported that 53% of its servers had been restored and stated that it would share further details on the nature of the incident and how the threat actor gained access once the investigation is complete.

44. BWH Hotels disclosed a data breach after discovering that a threat actor had gained unauthorized access to a web application used to store guest reservation information. An investigation found that the attacker accessed the application on October 14, 2025, and continued to exfiltrate data until the intrusion was detected on April 22, 2026. The compromised information included guest names, email addresses, phone numbers, home addresses, reservation numbers, stay dates, and special requests. The hospitality giant said it immediately took the affected application offline, revoked the unauthorized access, and engaged external cybersecurity experts to assist with its response. The company has not disclosed how many guests were affected or whether the attacker demanded a ransom.

45. Mt. Spokane Pediatrics notified 32,021 individuals that their personal and protected health information was compromised in a January 2026 cyberattack. The Washington-based pediatric practice determined that a threat actor had exfiltrated files containing sensitive data, including names, dates of birth, SSNs, diagnoses, treatment information, medical record numbers, health plan beneficiary numbers, patient numbers, and dates of service. The organization stated that it is unaware of any actual or attempted misuse of the stolen information and is offering affected individuals complimentary credit monitoring services. While the breach notice did not describe the incident as a ransomware attack, LockBit ransomware group claimed responsibility and threatened to publish the stolen data within 20 days if its demands were not met.

46. Foxconn reportedly suffered a major ransomware attack claimed by the Nitrogen ransomware group, which alleged it stole nearly 8 TB of confidential data from the electronics manufacturer, including files linked to Apple and Nvidia. The threat actors claimed the stolen dataset contained millions of sensitive files tied to Foxconn’s business operations, though the exact nature of the data has not been officially confirmed. Reports indicate the incident affected facilities and operations across several U.S. states and parts of Mexico, including Wisconsin, Ohio, Texas, Virginia, and Indiana. Foxconn’s incident response teams reportedly moved quickly to contain the attack and restore systems, limiting prolonged disruption, but the potential exposure of large volumes of corporate and client-related data remains a significant concern.

47. Murray County, Georgia, was forced to close several government offices and suspend a range of public services following a cyberattack that disrupted county computer systems. The incident affected operations at the Tax Commissioner’s Office, Probate Court, and other departments, leaving residents unable to access services such as vehicle tag renewals and property tax transactions. County officials said they were working with cybersecurity specialists to investigate the incident and restore affected systems but did not disclose the nature of the attack or whether any data had been compromised. No ransomware group has claimed responsibility for the disruption.

48. Verber Dental Group disclosed a data breach after detecting suspicious activity within its network on January 27, 2026. An investigation determined that an unauthorized party had access to the Pennsylvania-based dental provider’s systems between January 26 and January 27 and may have accessed patient information, including names, dates of birth, SSNs, driver’s license or state identification numbers, medical records, and health insurance information. The total number of affected individuals has not yet been disclosed.

49. Preakness Healthcare Center disclosed a data security incident after detecting suspicious activity within its network on March 4, 2026. A subsequent investigation determined that an unauthorized third party had access to portions of the skilled nursing facility’s network between February 24 and March 4, during which time resident information may have been viewed or acquired. The potentially exposed data included residents’ names, demographic information, and limited clinical information for individuals admitted on or after January 1, 2019. The total number of affected individuals has not been publicly disclosed.

50. Northwoods Surgery Center notified 5,385 individuals after an investigation confirmed unauthorized access to its network between July 11 and September 8, 2025. The Virginia, Minnesota-based provider said files containing patient information may have been accessed or acquired, including names, addresses, dates of birth, health insurance details, medical record numbers, provider names, dates of service, medication information, diagnosis and treatment details, and billing or claims information. 

51. Hospitality technology provider Bluize was listed on Qilin’s dark web leak site, alongside claims that the group breached the company. However, the threat actors did not provide any details about the alleged incident, and the listing did not include sample data or evidence of compromise. Bluize, which provides IT and venue management solutions to pubs, bars, restaurants, and gaming venues, had not publicly commented on the claim at the time of reporting. The nature and scope of the alleged breach remain unclear.

52. Fluke Corporation confirmed it notified 18,517 individuals about a data breach after a threat actor exploited a vulnerability in a third-party application used by the company. According to Fluke, the attacker had access to a limited segment of its network between August 10 and October 7, 2025, exposing information that included SSNs, dates of birth, and an indicator of whether an individual had self-identified as having a disability. Cl0p ransomware group later claimed responsibility for the breach and listed Fluke on its data leak site, although the company has not publicly acknowledged the group’s claims. 

53. The Goodstone Group confirmed it was responding to a cybersecurity incident after the newly emerged CMD Organization ransomware group listed the Tasmanian hospitality provider on its dark web leak site. The threat actors claimed to have stolen company data and published several documents as evidence, including employee passport scans, a confidentiality agreement, and bank reconciliation details from one of the group’s hotels. The data was reportedly being offered for sale to the highest bidder, with an asking price of 9 BTC, approximately $1 million. Goodstone said it began responding to the incident on April 18, 2026, engaged external cybersecurity experts, notified the Australian Cyber Security Centre and the Tasmanian government, and found evidence that cybercriminals had removed some data from its network.

54. Belmont Aesthetic & Reconstructive Plastic Surgery reported a data breach to the U.S. Department of Health and Human Services affecting 528 individuals. While the cosmetic and reconstructive surgery practice has not publicly disclosed details about the incident, the breach appears to be linked to a ransomware attack. Insomnia ransomware group added the organization to its dark web leak site in March 2026 and threatened to publish allegedly stolen data if a ransom was not paid. The nature of the compromised information and the full circumstances surrounding the incident had not been disclosed.

55. Orem Eye Clinic disclosed a cybersecurity incident that affected approximately 5,800 patients and reported the breach to the U.S. Department of Health and Human Services. The Utah-based provider has not publicly released details about the nature of the incident or the specific types of information that may have been compromised. Around the same time, NightSpire ransomware group claimed responsibility for the attack, alleging it had exfiltrated 1 TB of data from the clinic and listing the organization on its dark web leak site. The clinic had not publicly verified the group’s claims at the time of reporting.

56. A network intrusion at Advanced Family Surgery Center exposed sensitive patient information after an unauthorized third party gained access to portions of the organization’s systems in November 2025. The affected files contained personal, medical, and insurance information, including SSNs, medical record numbers, treatment details, and Medicare and Medicaid identifiers. Following the incident, the healthcare provider strengthened its security controls and launched a review of its data protection practices. Genesis ransomware group later claimed responsibility for the attack, alleging it had stolen roughly 100 GB of data from the organization.

57. Shri Balaji Valve Components disclosed that it was hit by a ransomware attack after detecting unauthorized activity on its data server on May 15, 2026. The Indian manufacturer said it immediately implemented emergency measures to secure its systems, isolate affected infrastructure, and maintain business continuity while launching an investigation with internal IT teams and external cybersecurity specialists. At the time of disclosure, the company had not provided details on the scope of the incident, whether any data had been accessed or stolen, or whether operations were materially affected.

58. The Dutch Language Institute (Instituut voor de Nederlandse Taal) was forced offline following a cyberattack that disrupted its digital services and made several online language resources temporarily unavailable. The organization disconnected affected systems as a precaution while investigating the incident and working to restore operations. Shortly after the disruption, the ransomware group The Gentlemen claimed responsibility for the attack and listed the institute on its leak site. At the time of reporting, the institute had not disclosed whether any data had been compromised, and the full scope of the incident remained under investigation.

59. HDFC Asset Management Company disclosed a cybersecurity incident after receiving a communication from an anonymous source claiming to have accessed portions of its IT infrastructure. The company said it identified the incident on May 16, 2026, immediately activated its incident response procedures, and engaged a specialist cybersecurity firm to conduct a forensic investigation and assess the potential impact. While HDFC AMC did not reveal the nature of the incident or whether any customer or financial data had been compromised, it stated that preliminary findings indicate no material impact on business operations, investor services, or fund management activities. The investigation remains ongoing.

60. Generation Life was listed on the dark web leak site of Qilin ransomware group weeks after the Australian financial services firm disclosed a cyber incident involving unauthorized access through an external service provider. While Qilin claimed responsibility for the attack, the group did not publish any sample data or provide details about the scope of the alleged compromise. Generation Life said the incident had been contained and that it had found no evidence of unauthorized transactions or access to systems responsible for investment activities. The company added that it was working with specialist cybersecurity and forensic experts to investigate the threat actor’s claims and assess whether any data had been accessed.

61. Grafana Labs disclosed that a threat actor gained access to its GitHub environment and downloaded the company’s source code, prompting an internal investigation and remediation efforts. The observability platform provider said it found no evidence that customer data, personal information, customer systems, or business operations were affected by the incident. According to the company, the attackers attempted to extort Grafana Labs by threatening to release the stolen codebase unless a payment was made, but the firm refused the demand. The attack has been attributed to Coinbase Cartel. Grafana Labs said it has identified the source of the credential compromise, invalidated the affected credentials, and implemented additional security measures to protect its environment.

62. German healthcare audit organization Arwini e.V. is investigating a cyberattack after ransomware group Kairos claimed responsibility and alleged it had stolen 2.87 TB of data from the organization’s systems. Arwini, which processes health and billing information for statutory health insurers in Lower Saxony, said that up to 75,000 records could potentially be affected in a worst-case scenario, although it has not confirmed whether any data was actually exfiltrated. Sample files published by Kairos reportedly included correspondence between health insurance providers and medical practices, while the group threatened to sell the allegedly stolen data. The incident is being investigated by law enforcement and data protection authorities, with police confirming Kairos was behind the attack and coordinating with international partners as inquiries continue.

63. Excelas notified individuals of a data breach after discovering that an unauthorized third party had accessed certain systems between November 27 and December 3, 2025. The medical record organization and analysis software provider said a limited amount of data may have been viewed or copied, including names, dates of birth, SSNs, government-issued ID numbers, diagnoses, physician names, medications, medical record images, payment information, and health insurance details. Cl0p extortion group claimed it had exfiltrated sensitive data from Excelas’ systems, although the total number of affected individuals has not yet been disclosed.

64. Pulpdent Corporation disclosed a cybersecurity incident after detecting unauthorized activity within its network in March 2026. An investigation determined that sensitive information, including names, SSNs, driver’s license numbers, and financial account information, may have been exposed and potentially stolen. The Massachusetts-based dental research and manufacturing company began notifying affected individuals in May. INC claimed responsibility for the attack, alleging it had exfiltrated sensitive data from the company’s systems. The total number of affected individuals has not yet been publicly disclosed.

65. DragonForce claimed responsibility for a cyberattack against AdvancedHealth, alleging it stole 390 GB of data from the healthcare services provider, including 2.3 million lines of patient information, as well as partner agreements, management records, payroll data, and human resources files. The group posted the claim on its leak site and threatened to release 1,000 records per day until its demands were met. The allegation emerged weeks after Columbia Surgical Partners, one of AdvancedHealth’s affiliated clinics, disclosed a data breach involving its parent company. AdvancedHealth has not publicly acknowledged DragonForce’s claims, and the scope of the incident, the number of affected individuals, and whether any ransom was paid remain unknown.

66. Extant Aerospace confirmed that a ransomware attack detected on August 23, 2025, compromised personal information belonging to 3,012 current and former employees and other individuals. The Melbourne, Florida-based aerospace and defense electronics contractor said an unauthorized actor accessed certain internal systems and may have acquired data including names, addresses, dates of birth, and SSNs. Extant engaged external cybersecurity experts, secured affected systems, and notified law enforcement following the incident. No known threat group had claimed responsibility for the attack.

67. Australian engineering and manufacturing firm Metaval was listed on the dark web leak site of INC, which claimed to have stolen 80 GB of data from the company. According to the threat actors, the allegedly compromised information includes contracts, financial records, confidential business documents, customer data, incident reports, and HR files. INC threatened to publish the data within days if its demands were not met; however, the group did not provide any evidence to support its claims. Metaval had not yet publicly commented on the alleged breach.

68. Senegal’s Public Treasury (Trésor Public du Sénégal) announced the gradual restoration of its operations following a cyberattack that disrupted a number of digital services and internal systems. As recovery efforts continued, AuditTeam ransomware group claimed responsibility for the incident and published what it described as proof of claims on its leak site. The agency said technical teams were working to restore affected platforms while maintaining essential public financial services, with operations progressively returning to normal. Authorities have not disclosed whether any data had been compromised or verified the authenticity of the threat actor’s claims.

69. SafePay claimed responsibility for an April 2026 cyberattack against the Harrison County Commission in West Virginia, alleging it had stolen data from the organization and giving officials three days to meet its ransom demands. The incident disrupted county operations, forcing the courthouse to turn away residents attempting to pay property taxes and impacting a number of government services. While most systems had been restored by early May, some administrative functions remained affected. The Harrison County Commission has not acknowledged SafePay’s claims or confirmed whether any data was compromised, and the ransomware group’s allegations remain unverified.

70. Nacogdoches Memorial Hospital disclosed a major data breach affecting 2,507,073 patients after discovering unauthorized access to its internal network and information systems on January 31, 2026. The Texas healthcare provider said a threat actor exfiltrated data containing names, addresses, phone numbers, email addresses, SSNs, dates of birth, medical record and account numbers, health plan beneficiary numbers, and possible photographic images. The hospital said it severed the unauthorized access, worked with law enforcement, and implemented additional security measures, including remediation steps, enhanced network security, updated procedures, and further staff awareness training. Nacogdoches Memorial Hospital did not disclose how long the attacker had access or whether a ransom demand was made.

71. The Australian College of Business Intelligence (ACBI) is investigating a potential cyber incident after being listed on Qilin’s dark web leak site. While the threat actors claimed to have breached the college, they did not publish any details about the alleged attack or provide samples of stolen data. ACBI said it became aware of the claims through its IT services provider and has engaged external cybersecurity specialists while notifying relevant authorities and regulatory bodies. The college added that initial investigations had found no evidence that student data had been compromised, although inquiries into the nature and scope of the incident remain ongoing.

72. A cyber incident involving a third-party IT service provider led to unauthorized access to a limited portion of Menzies Group’s network, the company confirmed. The Australian cleaning services provider said it immediately contained the incident, engaged external cybersecurity specialists, and notified the Australian Cyber Security Centre and the Office of the Australian Information Commissioner. The disclosure came after Qilin listed Menzies on its dark web leak site, although the threat actors did not provide any details about the alleged attack or publish evidence of stolen data. Menzies said its investigation remains ongoing and that cybersecurity experts are assessing the validity and scope of Qilin’s claims.

73. Erie Family Health Centers disclosed a major data breach affecting up to 570,000 individuals after discovering unauthorized access to its network in January 2026. An investigation determined that a threat actor had access to the Chicago-based healthcare provider’s systems between December 10, 2025, and January 27, 2026, potentially exposing a wide range of personal and protected health information. Depending on the individual, the compromised data may have included SSNs, government-issued identification numbers, financial information, health insurance details, medical records, treatment information, online account credentials, and other sensitive personal data. No threat group has publicly claimed responsibility for the incident.

74. Lumexa Imaging disclosed a vendor-related data breach affecting 2,994 individuals after an unauthorized actor allegedly exploited a connection between the company and a third-party service provider. The incident stemmed from a compromise of the vendor’s systems between March 31 and April 9, 2026, which may have allowed access to documents associated with Lumexa’s affiliated radiology practices. The exposed information included patient names, dates of birth, addresses, phone numbers, account numbers, insurance information, diagnoses, visit dates, and other clinical records, while a small subset of individuals also had their SSNs compromised. Lumexa said it immediately terminated the vendor’s access upon learning of the incident, and the vendor has since implemented additional security measures. 

75. Expert MRI disclosed a data breach affecting 209,560 individuals after discovering unusual activity within its internal network in September 2025. The California radiology provider said an unknown actor accessed and copied certain files between August 14 and August 24, 2025, exposing information including names, addresses, dates of birth, admission dates, diagnosis and treatment information, and SSNs. Expert MRI secured its network, engaged external cybersecurity experts, notified regulators, and is offering affected individuals complimentary identity protection and credit monitoring services. PEAR ransomware group later claimed responsibility for the attack, alleging it had stolen 617 GB of confidential data and threatening to publish the files unless its demands were met.

76. FMRS Health Systems disclosed a data breach after detecting suspicious activity within its network on February 27, 2026. An investigation determined that an unauthorized actor had access to its systems between January 20 and February 27 and copied files containing patient information, although the organization stated that electronic medical records were not accessed. The exposed data included names combined with personal, financial, and health-related information such as SSNs, driver’s license numbers, medical history, treatment details, prescription information, health insurance data, and medical record numbers. While FMRS did not characterize the incident as a ransomware attack, Qilin ransomware group claimed responsibility for the breach. The organization has reported the incident to federal regulators, and the total number of affected individuals is expected to rise as the investigation continues.

77. Delano Public Schools was forced to close its schools for a day after a ransomware attack disrupted district systems. Superintendent Matt Schoen said the incident was first discovered when ransomware messages began printing from printers across the district, prompting IT staff to immediately shut down online systems and school officials to cancel classes while the situation was addressed. In-person learning resumed the following day, although Wi-Fi access remained unavailable as recovery efforts continued. District officials said they were confident that no student, staff, or Google Classroom data had been accessed during the attack.

78. Glendora Surgery Center disclosed a data breach after determining that an unauthorized party accessed its network between November 29 and December 3, 2025, and exfiltrated files containing patient information. The California-based provider said the compromised data included patient names and medical treatment information. The organization has reviewed its privacy and security policies, enhanced administrative and technical safeguards, and provided additional cybersecurity training to staff. The incident has been reported to the U.S. Department of Health and Human Services, and the total number of affected individuals remains under review, with at least 501 people currently identified.

79. CRIT Tunisie and CRIT RH, the Tunisian subsidiaries of Groupe CRIT, disclosed a cyberattack that resulted in a data breach involving personal information belonging to former temporary workers, permanent employees, and certain third parties. The incident was limited to the two Tunisian entities, both of which had already ceased operations following changes to Tunisian labor laws in 2025. Groupe CRIT said it immediately secured the affected systems, launched an investigation into the scope of the breach, and notified Tunisia’s data protection authority. Separately, Titan ransomware group claimed responsibility for the attack and published samples of allegedly stolen data, including payroll records, administrative documents, financial files, and identity documents, although the full extent of any data exfiltration has not been independently verified.

80. Tampa Bay Dental Implants & Prosthetics disclosed a ransomware attack that affected 6,400 individuals after discovering on January 19, 2026, that files on a legacy server had been encrypted. The Florida-based dental provider said the compromised server contained backup copies of electronic medical records, and a subsequent investigation determined that patient information had been exposed. The affected data included names, contact information, dates of birth, treatment notes, clinical histories, and, for a limited number of individuals, SSNs. In response, the organization enhanced its security logging capabilities, strengthened server encryption, and updated access controls to reduce the risk of similar incidents in the future.

81. Aligned Orthopedic Partners notified 7,213 individuals after discovering unauthorized access to its email environment between November 16 and December 16, 2025. A forensic review found that emails and files may have been accessed or acquired, exposing protected health information and personal data such as names, dates of birth, SSNs, driver’s license or state identification numbers, Medicare or Medicaid numbers, financial account details, medical provider names, treatment and diagnosis information, prescription information, health insurance data, patient account numbers, and medical record numbers. 

82. Spanish chemical manufacturer Olipes was listed on SafePay’s dark web leak site. The group claimed to have breached the company and threatened to publish allegedly stolen data unless an undisclosed ransom was paid within three days. The threat actors said the incident had entered the public extortion phase of the attack and indicated that internal company information had been obtained as part of a double extortion operation. While SafePay did not disclose the amount demanded, the group warned that data would be released if negotiations failed. Olipes has not publicly commented on the incident or confirmed whether any data had been compromised.

83. Regional Victorian newspaper The Adviser was listed on Brain Cipher’s dark web leak site, with the group claiming to have stolen more than 350 GB of data from the media outlet. The threat actors said they had set a ransom deadline of June 2, 2026, after which the allegedly stolen information would be published. However, Brain Cipher did not provide any evidence to support its claims, such as screenshots or sample documents, nor did it disclose the amount of its ransom demand. The Adviser has not publicly commented on the allegations or confirmed that a cyber incident had occurred.

84. MyPillow became the subject of an alleged cyberattack after sensitive company and employee data was purportedly listed for publication on a ransomware leak site. Play ransomware group claimed to have stolen a range of information, including financial records, payroll data, tax documents, employee identification files, and customer-related information, and reportedly set a deadline before releasing the data. MyPillow CEO Mike Lindell rejected the allegations, stating that the company had not suffered a breach and describing the claims as politically motivated.

85. DocketWise disclosed a data breach affecting 143,480 individuals after discovering unauthorized access to one of its third-party partner repositories in October 2025. The Austin-based immigration law software provider said threat actors used valid credentials to clone repositories connected to a data migration pipeline containing law firm records and personal information. The exposed data included names, SSNs, dates of birth, driver’s license and passport numbers, banking information, government and tax identification numbers, health insurance details, medical information, and account credentials. DocketWise said its investigation found no evidence that the stolen information had been leaked online or used to extort law firms, and no threat group had claimed responsibility for the incident. 

86. Branded Products has been linked to an alleged cyberattack after the Melbourne-based company was named on the Qilin ransomware group’s dark web leak site. The entry contained no supporting evidence, sample data, ransom deadline, or description of the information purportedly obtained. As a result, the extent of the alleged compromise remains unknown, and the company has not publicly commented on the claims.

87. An alleged cyberattack targeting Alpha Group Holdings surfaced after the New Zealand company appeared on the Qilin ransomware group’s leak site. Despite attracting thousands of views, the post contained no supporting evidence, no description of the incident, and no indication of what information may have been compromised. The company has not commented publicly on the matter.

88. Charter Communications confirmed it was investigating a cybersecurity incident after ShinyHunters claimed it had stolen tens of millions of customer records from the telecommunications provider. The group alleged it breached Charter on April 1, 2026, through a voice phishing attack that compromised an employee’s Microsoft Entra account and enabled access to customer data in a Salesforce environment. ShinyHunters claimed the stolen information included names, contact details, plan information, support ticket data, and some customer proprietary network information, affecting approximately 40 million to 42 million records. Charter said it was following security protocols and notifying authorities but stated that no sensitive personal information or customer proprietary network information was exfiltrated. The company has not confirmed the attack method, the number of affected customers, or whether customer notifications will be issued.

89. Residents of Sandstone, Minnesota are being notified of a ransomware attack that disrupted city systems in April 2026 and may have exposed sensitive personal information. According to the city, the compromised data included names, SSNs, financial account and routing numbers, addresses, and dates of birth. Qilin ransomware group later claimed responsibility for the attack and added Sandstone to its leak site, although city officials have not publicly confirmed the group’s involvement. 

90. A cyberattack on German medical billing services provider Unimed has led to data breaches at multiple university hospitals and healthcare organizations across the country. The April 2026 incident involved the theft of patient data processed by Unimed on behalf of its healthcare clients, prompting the company to disconnect customer interfaces, notify authorities, and engage forensic experts to assess the impact. Several hospitals have since disclosed patient data exposures, including Freiburg University Hospital, which said approximately 54,000 patients were affected, and University Hospital Cologne, which reported that names, addresses, and treatment information relating to around 30,000 patients had been compromised. While Unimed said it was able to prevent the attackers from deploying ransomware, the breach has triggered investigations and patient notification efforts across Germany’s healthcare sector.

91. Australian appliance supplier QLS Group was claimed as a victim by DragonForce, which alleged it had stolen 554.65 GB of company data. To support its claim, the threat actors published a small sample of allegedly exfiltrated information, including confidential documents, contract records, and an incident report. DragonForce provided few details about the nature of the alleged attack.

92. Industrial Acceptance Corporation confirmed it notified 79,216 individuals about a February 2025 ransomware-related data breach that exposed names, SSNs, and driver’s license numbers. The company said it detected unauthorized activity on February 24, took systems offline to restore operations safely, and later learned that certain files had been removed from its network. IAC attributed the ransomware event to INC, although the ransomware group did not list the company on its leak site. Separately, Akira claimed responsibility for an attack on IAC in March 2025 and alleged it had stolen 60 GB of data, but IAC has not acknowledged that claim.

93. Plaza Home Mortgage disclosed a data breach after determining that personal information belonging to customers and employees may have been exposed during a security incident. The California-based mortgage lender began notifying affected individuals in May and directed them to a dedicated response website for additional information and guidance. While the company has not publicly disclosed the full scope of the compromised data, separate reports indicate that Silent claimed responsibility for an attack against Plaza Home Mortgage earlier in the year and threatened to release allegedly stolen information. Plaza has not publicly confirmed the group’s claims, and the extent of any data exfiltration remains unclear.

94. Weil, Gotshal & Manges confirmed it recently responded to a cyber incident involving the unauthorized upload of a limited number of client documents to an external cloud storage platform. The law firm said it activated its incident response procedures, engaged third-party cybersecurity experts, and notified law enforcement after discovering the activity. According to Weil, forensic investigators determined that the threat actor did not gain access to the firm’s network and that business operations were not disrupted. Reports later linked the incident to Silent ransomware group, with others suggesting that Weil paid between $18 million and $20 million to prevent the publication of stolen client data, although the firm has not publicly confirmed that a payment was made.

95. Brisbane accounting firm Kennedy McLaughlin & Associates confirmed it experienced a cyber incident involving unauthorized third-party access to part of its IT environment after being listed on Qilin’s dark web leak site. The firm said it mobilized a response team, contained the incident, secured its systems, and engaged cybersecurity experts to support its investigation and recovery efforts. Qilin initially listed the company in March, but the full dataset was reportedly published later and included financial details belonging to several clients alongside other company data. Kennedy McLaughlin said it has notified individuals whose information may have been impacted and reported the incident to the Australian Cyber Security Centre and the Office of the Australian Information Commissioner.

April marked a record-breaking month for ransomware activity, with 105 publicly disclosed attacks, the highest April total since tracking began in 2020. Organizations across 22 countries were impacted, with the United States accounting for 60% of all incidents. Healthcare was the most targeted sector, recording 25 attacks, followed by the services and government sectors with 16 each. In total, 32 ransomware groups were linked to publicly disclosed incidents, with ShinyHunters emerging as the most active, responsible for 15 attacks.

Find out who made ransomware headlines in April.

1. A cyberattack targeting St. Joseph County, Indiana, was revealed after the threat group Handala claimed responsibility for compromising county systems. The group alleged it had accessed and exfiltrated 2 TB of sensitive data, including records from law enforcement and other departments, and threatened to release the information publicly. County officials confirmed a breach had occurred but indicated it was linked to a third-party fax server rather than core government systems and said the incident had been contained. The full scope of the data exposure remains unclear.

2. Lapsus$ listed Mercor on its leak site, claiming to have obtained a wide range of company data. According to the group, the stolen information includes a 200GB database, a 3TB repository of video and identity verification data, and 939GB of source code. The AI recruiting startup confirmed it was affected by a supply chain attack linked to the compromised open-source LiteLLM.

3. In North Dakota, a ransomware attack on the Minot Water Treatment Plant forced operators to temporarily switch to manual gauge readings. The malware impacted the facility’s SCADA system, though the note left by the attackers did not include a ransom demand. City officials confirmed the water supply remained safe throughout the incident, and no ransomware group has publicly claimed responsibility.

4. Gem Terminal Industry stated that certain information was impacted by a cyberattack in early April. Key units including Suzhou Gem Opto-Electronics Terminal and Vietnam Gem Electronic and Metal were impacted by the incident. The organization activated its security response plan and restored affected systems in phases, with the support of external cybersecurity experts. An initial assessment indicated no material impact on its operations. The Gentlemen ransomware group claimed responsibility for the attack. 

5. A cyberattack disrupted operations at a municipal office in Náměšť nad Oslavou in the Třebíč region in the Czech Republic, forcing most systems offline and limiting public services. Around 70 computers had to be reinstalled as IT teams worked to restore servers and recover data from backups. LockBit took credit for the attack.

6. Check City Partnership confirmed it notified 322,687 people about a March 2025 data breach. Personal information including names, SSNs, government-issued IDs and financial information was compromised during the incident. Clop claimed responsibility for that attack in May 2025, adding the payday loan company to its leak site. To prove its claim, Clop posted sample images of alleged stolen documents from the company. 

7. Texas-based gun store Mister Guns notified 21,225 individuals of a data breach after unauthorized access to its systems in November 2025. The group Securotrop claimed responsibility, alleging it exfiltrated 290GB of data. The compromised information included personally identifiable information and various government-issued IDs. In its notification, the company stated there is no evidence that the stolen data has been misused as a result of the incident.

8. Toy manufacturer Hasbro disclosed a cyber incident involving unauthorized access to its systems, which led to disruptions across parts of its IT network. The company took affected systems offline as a precaution and initiated response and recovery efforts. While the full scope of the attack has not been confirmed, including whether data was exfiltrated, Hasbro stated that operations continued through contingency measures. No ransomware group has publicly claimed responsibility for the incident.

9. Brokk, a Swedish manufacturer of remote-controlled demolition machinery, reportedly had a 4GB dataset stolen from its systems by the Play ransomware group. The attackers threatened to release the data unless an undisclosed ransom was paid. The compromised information is said to include internal corporate data such as financial records, budgets, payroll details, identification documents, tax information, and client files.

10. Global law firm Jones Day confirmed a cyber incident after the Silent ransomware group gained access to its systems via a phishing attack. The group claimed responsibility and posted stolen data on its leak site, alleging extortion attempts against the firm. According to reports, the attackers accessed a limited number of older files tied to around 10 clients, all of whom were notified. Evidence shared by the group suggested a ransom demand of $13 million, with threats to publicly release all stolen data and further target the firm if negotiations were not met.

11. Signature Healthcare, a Massachusetts-based healthcare provider, was hit by a cyberattack that significantly disrupted operations at its Brockton Hospital. The incident forced ambulance diversions, canceled some services, and impacted systems including electronic health records and pharmacy operations. Anubis ransomware group claimed responsibility, alleging it had exfiltrated over 2 TB of sensitive data and setting a deadline for a ransom payment, though the group later removed the listing from its leak site. 

12. New Jersey-based Shingle & Gibb Automation is notifying individuals of a cyberattack in November 2025 that resulted in the compromise of certain personal data. A forensic investigation found that an unauthorized third party gained access to the company’s network and obtained specific files. The Akira ransomware group claimed responsibility for the attack, alleging it exfiltrated 25GB of data.

13. Heart South Cardiovascular Group confirmed it notified 46,666 people of a November 2025 data breach that compromised their personal information. Heart South did not disclose what types of data were compromised. Rhysida took credit for the breach on November 10, 2025. The ransomware group demanded six bitcoins in ransom, worth about $630,000 st the time. To support its claims, the group published sample images on its leak site, including ID scans and medical records.

14. ProxyCare LLC started to notify individuals impacted by an August 2025 cybersecurity incident. An investigation into the incident confirmed that certain computer systems had been accessed and that patient data had been exposed. At this time, it is not clear how many individuals were affected by the breach. 

15. Qilin has taken responsibility for a cyberattack targeting Germany’s political party Die Linke. The party reported that the breach occurred in late March, when unauthorized access to parts of its infrastructure led to the shutdown of key systems to limit the impact. Attackers were able to extract internal data, including some employees’ personal information. However, Die Linke stressed that its membership database was not accessed or affected.

16. Cybercriminals allegedly stole a 7.7 TB of sensitive internal documents from the Los Angeles Police Department and leaked the data online. The stolen data included personnel files, internal affairs investigations, and discovery documents that include unredacted criminal complaints and personal information. LAPD stated that it is investigating the breach that involved a digital storage system belonging to the police department. Those responsible have not been publicly named.

17. South Illinois Dermatology has notified individuals of a data security incident that took place in late November 2025. An investigation into the incident confirmed unauthorized access to part of its network where patient files were stored. Affected data includes names, address, DOBs, and medical record numbers. Insomnia ransomware group took credit for the attack, claiming to have obtained the data of more than 150,000 patients. Samples of stolen data were added to the group’s leak site as proof, with the full data leak taking place at a later date. 

18. Sydney-based GC Dental has been named on Space Bears’ dark web leak site, where the group claims to have stolen patient information and a “database.” However, the attackers have not provided details about the incident or the data in question, and the links to the alleged leaks are non-functional. GC Dental has not publicly responded to these allegations.

19. Qilin has listed Australian technology company Seeing Machines on its dark web leak site, offering no details beyond the company’s name. Seeing Machines confirmed it is aware of the claim that some its data had been accessed and said it is “investigating this claim as a matter of priority.”

20. Sumitomo Metal Mining disclosed that its Philippine subsidiary, Coral Bay Nickel Corporation, suffered a ransomware attack in which two servers were encrypted. The company immediately isolated the affected servers and launched an investigation into the scope of the breach alongside external specialists. Operations at the company’s production plant remained unaffected. It is not known who is responsible for the attack. 

21. The Dutch healthcare software provider ChipSoft was hit by a significant ransomware attack, disrupting systems used by a large proportion of hospitals across the Netherlands. The incident was confirmed by the sector’s cybersecurity authority, Z-CERT, after unauthorized access was detected, prompting ChipSoft to take key services, including patient portals and mobile applications, offline to contain the breach. The company’s software supports between 70–80% of Dutch hospitals, meaning the attack had widespread impact, with multiple healthcare institutions disconnecting systems as a precaution and some experiencing service disruptions. Subsequent investigations confirmed that cybercriminals were able to steal sensitive personal and medical data, although ChipSoft later stated that the stolen information had been destroyed and not published, without clarifying whether a ransom was paid. Embargo ransomware group took credit for the attack, claiming to have stolen 100 GB of data. 

22. In North Carolina, Atlantic Brain and Spine disclosed a January 2026 cybersecurity incident. Upon discovering suspicious activity in its computer network, the healthcare provider engaged third-party specialists to investigate the incident. It was confirmed that certain patient data had been accessed. The exposed data is still being reviewed but is said to include PII, PHI and financial information. 

23. Innovative Pharmacy Packaging Corp confirmed in a breach report that the protected health information of 133,862 patients had been exposed in a recent security incident. An investigation into the September 2025 attack confirmed that unauthorized access to its network had resulted in the exfiltration of files. IPPC conducted a review of affected files which confirmed that they contained a range of personal and protected health information. It is not clear who is responsible for the attack. 

24. Brooklands of Mornington in Victoria, Australia, was listed on the dark web leak site of Space Bears. The group claimed to have stolen personal data belonging to both guests and staff, financial information, and “other files.” While the ransomware group did not give specific details on the exfiltrated data, it did threaten to publish the allegedly stolen files five days after the post was written. The resort has not yet publicly addressed the group’s claims. 

25. Winona County, Minnesota experienced a significant ransomware attack in early April 2026, marking the second such incident to hit the county that year. The attack was detected on April 7, prompting officials to take parts of the county’s computer network offline as a precaution, which led to disruptions across public services, including vital records and DMV systems, while emergency services remained operational. Due to the scale and complexity of the incident, Minnesota Governor Tim Walz authorized the deployment of the National Guard to assist with response and recovery efforts, alongside federal and third-party cybersecurity experts. The county has gradually restored systems, though delays persisted as backlogs were addressed. Interlock claimed responsibility for the attack. 

26. Gunra ransomware group listed Eric Davis Dental on its leak site, adding a file tree of documents to the post as proof of claims. The data was structered into three folders: HealthCoachData, Scans, and Scans2025, alongside a collection of more than 500 PDFs labelled with potential patient names. The folders contained various letters of referral, DNA results, tax invoices and receipts. Eric Davis Dental confirmed that it is aware of Gunra’s claims and have launched a comprehensive review of its systems. Initial investigations did not identify any evidence of a cybersecurity incident, system compromised, or data breach. 

27. Reports emerged indicating that the Silent ransomware group breached international law firm Orrick, Herrington & Sutcliffe. The attack occurred in January 2026, with the attackers maintaining access to the firm’s network for several days. During this time, they moved laterally across systems, locating valuable data repositories before exfiltrating sensitive information. The firm is reported to have entered negotiations with the group, but discussions collapsed after Silent deemed the offer inadequate, leading to the publication of the stolen data.

28. Rx Management has been listed on INC’s dark web leak site, with the group claiming to have exfiltrated more than 180 GB of data. While INC provided no further details about the alleged incident, it issued the pharmacy management company a two-day deadline to comply with unspecified demands. Rx Management has not publicly commented on these claims.

29. Siam Okamura International Co Ltd published a notice on its website stating that it had detected unauthorized access to certain servers within its network. In response, the company implemented containment measures and, with the support of external cybersecurity specialists, initiated a detailed investigation. Data believed to be linked to the company has appeared online, with the scope and nature of the information still under review. The ransomware group DragonForce has claimed responsibility for the incident, alleging it exfiltrated 368.7 GB of data.

30. Semiconductor manufacturer Grand Process Technology Co reported that it had been impacted by a ransomware attack. In response, the company isolated affected systems, initiated data recovery processes, and began investigating the incident and its potential impact. No known ransomware group has claimed responsibility.

31. Anubis ransomware group has claimed responsibility for a cyberattack targeting Western Australian operator Shine Aviation. The group added the company to its dark web leak site, alleging it exfiltrated more than 68,000 files amounting to 57 GB of data. According to Anubis, the stolen information includes a broad range of sensitive material, from aircraft and flight details to network access credentials and internal systems data. The post also included several sample files, such as images of employee security passes and login information.

32. Bendigo & District Aboriginal Co-operative (BDAC) has been listed on INC’s dark web leak site, although the group provided few details about the alleged incident. BDAC has since confirmed that it identified and contained a cybersecurity incident on the same day, helping to minimise the impact. The organization is continuing to investigate the matter in coordination with relevant authorities.

33. DermCare Management disclosed that it detected unauthorized access to its computer systems in late February 2026. The investigation found that over a twelve-day period, attackers were able to access and obtain patient information. The company engaged data review specialists, who determined that the compromised data includes names, government-issued identification, financial details, and medical records. While the total number of affected patients has not been specified, DermCare confirmed that 11 of its 70 clinics were impacted.

34. Healthdaq, a Dublin-based recruitment platform, was targeted in a ransomware attack by the relatively new group XP95. The company detected unauthorized access to its data in late March and stated that the incident was quickly contained. Potentially compromised information includes names, CVs, government-issued identification, and some health-related data. XP95 claims to have exfiltrated 431 GB of data.

35. Vilhelmina Municipality in Sweden was impacted by a ransomware attack, believed to be part of a broader IT campaign affecting several councils across the country. The incident disrupted the municipality’s websites, e-services, and telephone systems, while broadband services for network customers were gradually shut down as a precautionary measure. Social services were among the most affected, losing access to critical systems. It remains unclear who is responsible for the attack.

36. INC ransomware group has claimed responsibility for an attack on Dorotea Municipality in Sweden. The incident pushed the council into emergency mode after attackers encrypted municipal systems overnight. Despite the disruption, Dorotea prioritised maintaining essential services such as home care and childcare. It remains unclear whether any data was exfiltrated during the attack, and the council confirmed that no ransom was paid.

37. ShinyHunters has claimed to have breached GTA developer Rockstar Games, alleging it obtained valuable data and issuing a deadline for the company to meet unspecified demands before releasing it. Rockstar acknowledged that a limited amount of non-sensitive company information was accessed, stating that the incident had no impact on its operations or players.

38. In Minnesota, Spring Lake Park Schools suffered a cybersecurity incident that resulted in unauthorized access to some of the district’s systems. Affected systems were shut down to prevent further spread of the attack. All classes, including childcare, community education programs and afterschool activities, were cancelled. The district contacted state law enforcement and the FBI to assist with an investigation into the incident. 

39. Ralph Lauren is believed to have been impacted by a cyberattack originating through a third-party provider rather than its own infrastructure. At present, it is unclear what data, if any, may have been compromised, and the company has not publicly commented on the alleged unauthorized access. The group CoinbaseCartel has claimed responsibility for the incident, though it has not provided any specific details on its leak site.

40. Reports indicate that Mexico’s Ministry of the Navy (SEMAR) suffered a cyber incident resulting in data exfiltration from its Safe Smart Port (PIS) platform. A threat actor subsequently leaked 39.7 GB of data on a public forum. The breach is said to have impacted around 640,000 port operators. No additional details about the incident have been publicly disclosed.

41. Rocky Mountain Associated Physicians disclosed a security incident involving unauthorized access to the protected health information of up to 50,640 current and former patients. A forensic investigation found that attackers gained access to certain systems, including the patient database, which contained names, Social Security numbers, health information and insurance details. In some cases, financial account information was also exposed. The ransomware group PEAR claimed responsibility for the attack and published the stolen data after ransom demands were not met.

42. Education company McGraw-Hill confirmed that the ShinyHunters group exploited a Salesforce misconfiguration to access internal data. The company stated that the incident was limited in scope and involved only non-sensitive information. However, ShinyHunters claims to have obtained 45 million Salesforce records containing personal data and has threatened to release the information if its ransom demands are not met.

43. INC listed Mastercom, an Australian communications company, on its leak site. The hackers claim that compromised data includes customer information, HR data and financial information. Soon after the initial post, the ransomware group leaked the full dataset, which includes information from a company called Queensland Communications, which was acquired by Mastercom in 2013. The organization has stated that it is aware of the incident but refused to comment further. 

44. Franziskusschule in Wilhelmshaven was targeted in a cyberattack, which has been confirmed by the relevant authorities, with a report filed to local police. Officials indicated that no lasting damage is expected and that school operations have not been disrupted. The school noted on its website that its “IServ” network was temporarily unavailable but is being addressed. The ransomware group Payload has claimed responsibility, alleging it exfiltrated 13 GB of data.

45. Autovista confirmed that it called in outside support to help with the fallout of a ransomware attack that affected systems in Europe and Australia. Applications experienced disruption as part of the incident and the organization worked to resolve these issues as quickly as possible. Given the early-stage nature of the attack, Autovista was not aware how the cybercriminals were able to breach its systems. 

46. Krybit ransomware group has listed Dencom New Zealand on its leak site, giving the company ten days to comply with unspecified demands. As proof of the breach, the group released a number of documents, including personal data, family correspondence linked to a Dencom employee, tax invoices, and medical records. The total volume of data allegedly stolen has not been disclosed. Dencom’s website was temporarily unavailable, and the company has not publicly responded to the group’s claims.

47. Data reportedly stolen from Hallmark Cards Inc has been released on cybercrime forums after ShinyHunters threatened to publish millions of records linked to the company. The group claims to have obtained nearly eight million records, which have now been made public. The leaked data is said to include both customer information and internal company data.

48. The National Railroad Passenger Corporation (Amtrak) has been listed by ShinyHunters as a victim, with the group claiming to have exfiltrated 9.4 million Salesforce records. According to the attackers, the dataset contains personally identifiable information as well as internal corporate data. However, no sample data has been released to substantiate these claims.

49. Shun Hing Group reported that it identified unauthorized access and damage to its computer systems as a result of a cyberattack. The company has filed a police report, notified relevant authorities, and engaged independent cybersecurity experts to investigate the incident. A review of the affected data is ongoing, but it has been confirmed that compromised information includes names and other contact details. LockBit ransomware group has claimed responsibility for the attack.

50. 1,758 people were notified of a data breach involving the Phoenix Art Museum which led to the compromise of their names and social security numbers. The museum stated that it identified unauthorized access to its systems in early December 2025 and immediately launched an investigation. Rhysida took credit for the attack, stating that it had stolen data from the Museum and demanded 10 BTC in ransom, worth about $667,000 at the time. 

51. Japan-based Cota Co Ltd confirmed that system disruption it disclosed in late March was caused by a ransomware attack. The company isolated potentially infected internal systems and disconnected its network as a precaution, while withholding technical details of the ransomware to prevent further damage. The company reported that, as of now, there is no confirmed leakage of personal or other sensitive information. 

52. FriendlyCare Pharmacies has been listed on Kairos’ leak site, with the group claiming to have exfiltrated 113 GB of data. A sample of the alleged data included medical information such as prescriptions, an incident report, employment-related correspondence, and a licence, all seemingly tied to the company’s Booval location. FriendlyCare has not publicly responded to these claims.

53. Threat actors have publicly released data stolen from Standard Bank of South Africa. In late March, the bank disclosed that it had identified an incident involving unauthorized access to certain data, followed by two further updates to clients in April. The breach exposed a subset of client records, including account numbers, business names, and some identification details. The bank reiterated that its transactional banking services and core operating systems were neither accessed nor compromised.

54. Windward Life Care has begun notifying individuals of a data security incident that occurred in December 2025. A forensic investigation determined that unauthorized access to its network led to the compromise of personal and protected health information. Sinobi ransomware group claimed responsibility, alleging that it both encrypted files and exfiltrated 25 GB of data. The group later published the stolen data after ransom demands were not met.

55. ShinyHunters has listed Alert 360, the fifth-largest home and business security provider in the US, on its victim blog, providing a download link to a purported 10 GB dataset containing 2.5 million records. The exposed data is said to include personally identifiable information as well as internal corporate data. Alert 360 has not publicly responded to these claims.

56. Another victim attributed to ShinyHunters this month is US retailer 7-Eleven. The group reportedly gained access through Salesforce and claims to have exfiltrated more than 600,000 records, including personal and internal corporate data.

57. Carnival Corporation was targeted in a cyberattack claimed by the ShinyHunters, which listed the cruise giant on its leak site this month. The group alleges it exfiltrated more than 8.7 million records containing personally identifiable information and internal corporate data, issuing a deadline for ransom payment before threatening to publish the data. Subsequent reports indicate that the data, linked to a loyalty program operated by a Carnival subsidiary, may include names, dates of birth, and other personal details, with millions of unique email addresses exposed. Carnival has acknowledged a security incident, stating it stemmed from a phishing attack on a single user account and that containment measures were quickly implemented, though the full scope and validity of the attackers’ claims remain under investigation.

58. Zara was another high-profile organization targeted by the ShinyHunters, after being listed on the group’s dark web leak site alongside other major brands. The attackers claimed to have gained access to sensitive data, reportedly via a third-party connection linked to broader cloud and analytics compromises, and issued a “pay or leak” ultimatum, threatening to publish the stolen information if ransom demands were not met. Subsequent reports suggest that data tied to Zara was later released following failed negotiations, with the breach believed to involve customer and internal corporate data, although the full scope and impact have not been publicly confirmed by the company.

59. Blackwater ransomware group took credit for a cybersecurity incident at Minidoka Memorial Hospital in Idaho. The incident itself took place on Easter morning and temporarily impacted certain systems within the healthcare provider. The ransomware group claimed to have stolen 577 GB of data from the hospital and demanded that an undisclosed ransom be paid within a week of the initial post. 

60. Glendale Obstetrics & Gynecology has begun notifying individuals of a security incident that occurred in October 2025. Initially described as a network disruption impacting part of its digital environment, it was later confirmed that unauthorized access had taken place, resulting in the compromise of sensitive data. The exposed information includes both personally identifiable information (PII) and protected health information (PHI). The SafePay ransomware group claimed responsibility for the attack and subsequently released the stolen data.

61. Lymphedema Therapy Specialists disclosed a data breach stemming from unauthorized access to its systems in February 2026. A subsequent review determined that the compromised data includes names, Social Security numbers, government-issued identification, medical information, and health insurance details. INC ransomware group has claimed responsibility for the attack.

62. City Health notified certain patients of a hacking incident that was identified at the end of March 2026. An unauthorized party gained access to its network for a nine-day period and viewed or acquired files containing sensitive information. Data accessed includes names, insurance details, and procedure codes. It was reported that the incident impacted around 65,000 individuals. 

63. Canada Life announced that it had identified a cyber incident involving access to certain applications through an employee account. The incident was quickly contained and regular operations and services continue. An investigation was immediately launched with support from third-party cybersecurity experts. ShinyHunters added Canada Life to its leak site, claiming to have stolen 5.6 million Salesforce records. 

64. Strata management firm Strata Republic was listed on Kairos’ victim portal, with the group claiming to have exfiltrated 441 GB of data. The group published several files as evidence of the hack, including employee documents, an income tax report and a driver’s licence of an employee. Strata Republic has not yet publicly acknowledged these claims. 

65. Adaptavist Group initiated an investigation into a security incident after a threat actor gained access using stolen credentials. The company stated that the affected systems contained standard business data. The Gentlemen ransomware group has claimed responsibility, alleging a “complete infrastructure compromise” and significant data exfiltration. According to the group’s dark web post, the stolen data includes hundreds of thousands of purported customer records, product source code, credentials, and elements of production systems.

66. Citizens Financial Group stated that it is dealing with a data security incident tied to a third-party provider. The company acknowledged that data had been exfiltrated but stated that most of it was masked test data, with a limited set of information for a small number of customers. Everest ransomware group claimed responsibility for the attack, adding sample data and a deadline to its dark web leak site listing. 

67. In Vermont, Springfield Hospital started notifying patients advising them that some of their personal and protected health information had been exposed during a cybersecurity incident late last year. A forensic examination determined that an unauthorized individual had accessed information. Data exposed includes names, DOBs and SSNs, alongside information such as medical record numbers, physician’s names and reasons for visits. A file review confirmed that 5,892 individuals were affected by the breach. 

68. Chicago’s Saint Anthony Hospital started notifying patients about the theft of some of their personal and protected health information. The breach notification does not state when the unauthorized access was detected, only that an unauthorized third-party access and/or acquired files and folders of unstructured information. Electronic medical records were not impacted by the breach. It is reported that 146,108 individuals were impacted by the incident. 

69. 285,086 patients have been impacted by a cyberattack on North Texas Behavioral Health Authority. NTBHA identified unauthorized activity within its computer systems in mid-October 2025, with an investigation determining that patient information was accessed during a two-day intrusion period. The types of data involved have not been made public, although for some individuals, Social Security numbers have been exposed.

70. Architectural firm Grace Design Studios LLC is facing a proposed class action alleging that its failure to safeguard sensitive data led to a ransomware attack. According to the lawsuit, an unauthorized party accessed the company’s network in mid-April and stole private information involving customers and employees. Payouts King was responsible for the attack and claimed to have exfiltrated 2.5 TB of data from the organization. 

71. Malaysian heavy crane manufacturer Favelle Favco has been listed as a victim on SafePay’s dark web leak site, with the group claiming to have published a 237 GB dataset. The leaked data reportedly includes around 140,000 files related to the company’s Australian operations and Sydney production facilities. Exposed information is said to include government-issued IDs of Australian employees, internal and customer communications, financial records, and technical documents. Favelle Favco has not publicly commented on these claims.

72. Frost Bank was reportedly targeted by the Everest ransomware group, which threatened to release large volumes of stolen data if its demands were not met. The group claims the breach includes data relating to nearly 250,000 customers. Sample files shared as proof appear to contain Social Security numbers, tax identification numbers, mortgage interest rates, and other sensitive information.

73. Murray Medical Center in Minnesota announced a data security incident that affected current and former patients. The incident was first detected in August 2025, when suspicious activity was observed in its IT systems. With the help of external cybersecurity experts, it took until the end of January 2026 to determine that patient and employee data had been compromised during the incident. Exposed information includes both PII and PHI. The breach impacted approximately 5,073 individuals. 

74. A major data breach was announced by Hospital Caribbean Medical Center in Puerto Rico. An intrusion was detected by its monitoring systems in early February, with steps immediately taken to contain the incident. It is believed that the incident has impacted 92,000 individuals. The Gentlemen took responsibility for the attack, claiming to have exfiltrated sensitive data including patient information. 

75. The Town of Orange, Virginia was reportedly targeted in a ransomware attack claimed by the LockBit group, which listed the municipality on its dark web leak site. The claim followed a February technology outage that forced the closure of Town Hall and several municipal offices for parts of three days, disrupting local services and limiting payment methods while systems were restored. LockBit alleged it had compromised the town’s network and threatened to release sensitive government data unless negotiations were initiated. Officials have not publicly confirmed any link between the outage and the ransomware claim or disclosed whether data was accessed or exfiltrated.

76. Yamaichi Electronics disclosed that its Philippine subsidiary, Pricon Microelectronics, was impacted by a ransomware attack affecting certain servers, confirmed on April 17, 2026. In response, the company engaged external cybersecurity experts to secure and restore affected systems while investigating the cause and scope of the incident. Yamaichi apologized to customers and stakeholders for the disruption and concern caused. The company is still assessing the potential impact on its consolidated business performance and has not yet determined any financial or operational effects, noting that further updates will be provided if disclosure requirements are triggered.

77. France’s National Agency for Secure Titles (ANTS), the government body responsible for issuing identity documents, confirmed a data breach following a cyber incident detected in mid-April. The breach is believed to have exposed data from both individual and professional accounts on its portal, including names, contact details, dates of birth, and other account-related information. A threat actor known as “breach3d” claimed to have stolen and attempted to sell up to 19 million records on cybercrime forums, though the full scale of the incident remains under investigation. Authorities have stated that while personal data was accessed, there is no evidence that user accounts or the platform itself were compromised, and the agency is working with law enforcement and cybersecurity experts as the investigation continues.

78. Yau Yat Chuen Garden City Club, a private club in Hong Kong, was impacted by a ransomware attack that compromised the personal data of more than 9,000 individuals, including current and former members. The breach stemmed from the club’s customer management system, which was rendered inoperable after attackers encrypted files on a server. Exposed data included names, ID and passport numbers, dates of birth, contact details, and addresses. Investigations found the incident was linked to multiple security weaknesses, including outdated software, poor authentication controls, and inadequate cybersecurity measures. While there is no evidence the data has been publicly leaked, authorities determined the club had failed to adequately protect personal data and issued enforcement actions, prompting remedial security improvements.

79. A South Australia-based genealogical research organization, Genealogy SA, confirmed it experienced a cyber incident after being listed by the SafePay ransomware group on its dark web leak site. The organization detected the breach earlier in the year and engaged external cybersecurity experts to contain and investigate the incident, later notifying affected members. SafePay claimed to have exfiltrated a range of sensitive data, including business and financial documents, insurance records, historical genealogical data, personal correspondence, and internal materials, and subsequently leaked the information after ransom demands were not met.

80. Real estate investment firm JRK Property Holdings Inc. was reportedly impacted by a ransomware attack in early April 2026, with claims from the group The Gentlemen that it compromised data relating to approximately 111,000 individuals. According to a newly filed class action lawsuit, the breach exposed sensitive personal information, including names and Social Security numbers. The incident was first identified via a ransomware monitoring site that published alleged ransom notes, suggesting that attackers were able to access and exfiltrate data, raising concerns around identity theft and financial fraud.

81. The City of Suffolk, Virginia is investigating an attempted ransomware attack after a threat actor gained unauthorized access to its network and tried to deploy ransomware. The intrusion was identified after a federal alert flagged suspicious activity, allowing IT staff to respond quickly and prevent full encryption of systems. However, officials acknowledged that data may have been accessed or exfiltrated during the window of unauthorized access, with potentially sensitive personal information at risk. The incident prompted an ongoing investigation, with authorities working to determine the scope of any data exposure while implementing additional security measures to strengthen defenses.

82. Online learning platform Udemy was recently listed as a victim by ShinyHunters, which alleged it had exfiltrated more than 1.4 million user records containing personally identifiable information and internal corporate data. The group issued a “pay or leak” ultimatum, threatening to publish the stolen data if its demands were not met. Subsequent reports indicate that the dataset, linked to both users and instructors, was later released on cybercrime forums, with exposed information including email addresses, names, contact details, and additional account-related data. Udemy has not publicly confirmed the breach.

83. The University of Warsaw disclosed a cyber incident involving unauthorized access to its IT systems, where attackers used compromised credentials to infiltrate the network and move laterally across systems. During the intrusion, large volumes of data were copied and later published online, including tens of thousands of files containing personal data such as identification details, contact information, financial records, and health-related data. Interlock ransomware group has claimed responsibility, alleging it exfiltrated approximately 850 GB of data and sharing sample images on its leak site as proof.

84. ViaQuest, a U.S.-based healthcare and social services provider, was listed as a victim of a ransomware attack claimed by the Anubis group, which alleged it had compromised company systems and exfiltrated a substantial volume of sensitive data. According to the group, approximately 4.1 TB of data, comprising over one million files, was stolen during the intrusion, potentially impacting more than 37,500 patients and 3,900 employees. The reportedly exposed data includes extensive personal and medical information, alongside employee records and internal administrative documents. At the time of reporting, the full scope of the incident had not been independently verified, and ViaQuest had not publicly commented on the claims.

85. Florida Physician Specialists, a Jacksonville-based multi-specialty practice, began notifying patients about a data breach stemming from a November 2025 cyber incident. An investigation confirmed that an unauthorized third party accessed its network over a two-day period, with a subsequent data review determining that a limited amount of patient information may have been exfiltrated. Potentially compromised data includes names combined with sensitive details such as Social Security numbers, government-issued IDs, financial information, and medical and health insurance data.

86. ADT confirmed it experienced a data breach after detecting unauthorized access to customer and prospective customer data, prompting an immediate response to contain the intrusion and launch an investigation. The company determined that exposed information primarily included names, phone numbers, and physical addresses, with a smaller subset of records also containing dates of birth and partial Social Security or tax identification numbers. No payment information or home security systems were impacted. ShinyHunters claimed responsibility, alleging it stole millions of records by exploiting an employee account through a vishing attack to access ADT’s Salesforce environment.

87. Mile Bluff Medical Center in Mauston, Wisconsin, responded to a cyberattack that resulted in the encryption of files across parts of its network. Upon discovery, the organization implemented security protocols and engaged third-party experts to assist with the investigation and recovery efforts. The incident caused limited, temporary disruptions to certain systems, including its phone services, with clinical teams operating under downtime procedures to ensure continuity of patient care. While restoration efforts are ongoing, it remains unclear whether any patient data was impacted. No ransomware group has claimed responsibility for the attack at this stage.

88. Rodenburg Law Firm has begun notifying 81,307 individuals of a data breach linked to an August 2025 cyber incident, following the completion of its internal investigation. The firm confirmed that sensitive data, including Social Security numbers, payment card details, and medical information, was compromised. Akira ransomware group claimed responsibility for the attack, alleging it exfiltrated around 144 GB of data from the firm’s systems, including employee records, confidential legal files, court documents, and client information.

89. Video platform Vimeo confirmed a data breach after an attack linked to its third-party analytics provider, Anodot, which allowed unauthorized access to user and customer data. The ShinyHunters extortion group claimed responsibility, alleging it had extracted large volumes of data and issuing a “pay or leak” ultimatum. The compromised information primarily included technical data, video metadata, and some customer email addresses, while Vimeo stated that login credentials, payment information, and video content were not affected.

90. The Massachusetts Development Finance Agency (MassDevelopment) was reportedly targeted in a March 2026 cyberattack, with the ransomware group DragonForce claiming responsibility. According to breach notifications, unauthorized access to the agency’s network led to files being copied on the same day the intrusion was identified. The group alleges it stole approximately 1.56 TB of data, including personal information such as names, Social Security numbers, driver’s license details, and financial account data. MassDevelopment has not confirmed the group’s claims, and the full scope of the breach, including the number of individuals affected, remains unclear.

91. BELFOR Asia confirmed it was impacted by a cyberattack affecting its regional operations, prompting the shutdown of IT systems and disconnection of network access to contain the incident. The company later disclosed that data had been exfiltrated and subsequently leaked online. INC ransomware group has claimed responsibility, alleging it stole approximately 430 GB of data and publishing sample files as proof on its leak site. The compromised information is understood to include project-related, corporate, and personal data such as case details, damage reports, and contact information. BELFOR has engaged external cybersecurity experts and continues to investigate the full scope of the breach.

92. The Rural Municipality of Gimli in Manitoba was recently impacted by a cyberattack that disrupted municipal operations and led to systems being taken offline while the incident was investigated. Officials engaged external cybersecurity experts to assist with containment and recovery, and residents were advised to use alternative methods for payments during the outage. The ransomware group Payload has claimed responsibility, alleging it encrypted systems and exfiltrated 69 GB of data, and has threatened to release the information if its demands are not met.

93. Application security firm Checkmarx confirmed that a recent supply chain attack led to the theft and public release of internal data from its GitHub environment. The breach stemmed from a compromise of third-party tooling, allowing attackers to inject malicious code into development workflows and gain access to repositories. As a result, source code, employee databases, API keys, and MongoDB and MySQL credentials were exfiltrated before being leaked online. The incident is part of a broader campaign targeting software supply chains, with the Lapsus$ group claiming responsibility for the attack.

94. Sandhills Medical Foundation has begun notifying 169,017 individuals of a data breach stemming from a May 2025 ransomware attack, following the completion of a lengthy forensic investigation into the incident. Notification letters were issued in late April 2026, nearly a year after the breach was first identified, confirming that sensitive personal and health information, including Social Security numbers, financial data, and medical records, had been accessed by an unauthorized third party. INC ransomware group claimed responsibility, alleging it exfiltrated the data and later published it after ransom demands were not met, though the organization has not publicly verified these claims.

95. Australian gelato chain Gelatissimo confirmed it is investigating a cyber incident after being listed by DragonForce ransomware group on its dark web leak site. The group claims to have exfiltrated approximately 352 GB of data from the company’s systems and has shared sample files as proof, including employee records, financial information, and internal documents. Gelatissimo stated it is working with cybersecurity experts to assess the scope and impact of the incident, while the threat actors have issued a deadline and threatened to publish the full dataset if their demands are not met.

96. The City of Ardmore, Oklahoma has begun notifying residents following a ransomware attack on its internal computer servers. The incident, identified in early April, involved unauthorized access to systems containing information related to individuals involved in criminal complaints and investigations. The exposed data is understood to include personal details such as names, addresses, and phone numbers, though officials stated that financial systems were not affected as they are housed separately. The notification was issued out of an abundance of caution as the city continues to assess the scope of the incident and any potential impact on affected individuals.

97. Adams County, Mississippi was impacted by a ransomware attack that significantly disrupted government operations, with the incident effectively locking staff out of critical systems for over a week. The attack began after threat actors gained access through an outdated computer, allowing the malware to spread across the county’s network and restrict access to services including court records, public documents, and payment systems. County offices were forced to halt online services and accept only cash payments while recovery efforts were underway. Authorities confirmed the FBI is investigating the incident, though no ransomware group has publicly claimed responsibility and the full scope of any data exposure remains unclear.

98. STELIA Aerospace North America confirmed it was impacted by a ransomware attack affecting its North American IT environment, prompting the company to activate incident response protocols and isolate affected systems to contain the breach. Rhysida claimed responsibility, alleging it exfiltrated approximately 10 TB of data and issued a ransom demand of 27 BTC (around $2.07 million), alongside a deadline before the data would be released. The group also published sample files as proof of the intrusion, including identity documents, employee records, and technical drawings, suggesting a significant compromise of sensitive corporate and partner-related information.

99. Starr Insurance disclosed a data security incident after identifying unauthorized access to its systems, where a threat actor was able to copy files containing sensitive information. The compromised data is believed to include names, Social Security numbers, government-issued IDs, financial details, medical information, and health insurance data. Akira ransomware group claimed responsibility, alleging it exfiltrated approximately 15 GB of corporate and personal data.

100. The Asian Football Confederation (AFC) was reportedly impacted by a large-scale cyberattack, with threat actors claiming to have accessed and leaked a database containing sensitive information on more than 150,000 players and staff. The exposed data is said to include passport scans, contracts, email addresses, and detailed personal and registration information tied to both the AFC and affiliated clubs. The dataset was advertised and partially released on a cybercrime forum, with sample files shared to validate the breach. The incident has been described as one of the most significant data exposures in football, raising concerns around identity theft, fraud, and targeted attacks against high-profile individuals. ShinyHunters referenced the breach, though it remains unclear whether the group was directly responsible or if its name was used to bolster credibility.

101. Kent District Library in Michigan was impacted by a ransomware attack that forced the closure of all its branches and disrupted core services across its network. The incident began as a reported “network outage” before being confirmed as a ransomware event affecting system operability, including public access to computers and library services. In response, the library shut down systems, engaged third-party cybersecurity and forensic experts, and launched an investigation to determine the scope of the attack. While some branches have since reopened with limited services, the full extent of the disruption and any potential data exposure remains under investigation.

102. Kreis Kassel in Germany continues to investigate a cyberattack that impacted parts of its IT infrastructure, particularly within its waste management and youth services entities. Authorities confirmed that data from the affected systems has since been published on the dark web, indicating that information was exfiltrated during the incident. SafePay ransomware group has claimed responsibility for the attack. Investigations are ongoing to determine the scope of any compromised personal data, with officials working alongside data protection authorities and law enforcement. 

103. Medtronic confirmed it was impacted by a cyberattack involving unauthorized access to data within certain corporate IT systems. The incident was detected and contained, with the company activating incident response measures and engaging external cybersecurity experts to investigate the scope of the intrusion. ShinyHunters claimed responsibility, alleging it exfiltrated more than 9 million records containing personally identifiable information, along with terabytes of internal corporate data, and issued a deadline for ransom payment under threat of a leak. Medtronic stated that the breach did not affect its products, patient safety, or core operations, and that customer and hospital networks remain separate, while investigations continue to determine whether sensitive data was accessed.

104. Denso confirmed that a cyber incident involving unauthorized access affected parts of its group network, specifically systems linked to subsidiaries in Italy and Morocco. The intrusion was identified after a third party gained access to internal networks, prompting the company to activate emergency response measures, isolate affected systems, and engage external cybersecurity experts to investigate and contain the breach. Ongoing investigations have indicated that some internal and third party-related information may have been exfiltrated, although no significant impact on production or product delivery has been reported. Qilin ransomware group claimed responsibility, listing Denso on its leak site and threatening to release stolen data if demands are not met, though the extent of any data compromise remains unconfirmed.

105. U.S. logistics technology firm Pitney Bowes was listed as a victim by ShinyHunters, which claimed to have stolen and subsequently leaked company data. The exposed dataset reportedly includes around 8.2 million unique email addresses, along with names, phone numbers, and physical addresses, as well as a subset of employee-related information such as job titles. The data was published after alleged ransom negotiations failed, though Pitney Bowes has not publicly confirmed the incident or the extent of any compromise.

March saw 90 publicly disclosed ransomware attacks, marking the second month this year in which incidents exceeded 90. Organizations in the United States accounted for 60% of all reported attacks, with smaller nations such as Andorra and Panama also included among the 24 countries impacted.  Healthcare remained the most targeted sector with 18 attacks, followed by government and manufacturing with 14 and 12 incidents, respectively. In total, 30 ransomware groups were linked to publicly disclosed attacks, with Qilin leading activity with eight attacks.

Keep reading to find our who made ransomware headlines in March.

1. DragonForce ransomware group claimed responsibility for an attack on the Getulio Vargas Foundation (FGV), a leading educational institution in Brazil, involving unauthorized access and the exfiltration of approximately 1.52 TB of data, including sensitive information such as names, identification details, and banking data. FGV confirmed it experienced a security incident that temporarily disrupted some of its systems and acknowledged that data associated with the institution has appeared on the dark web.

2. A cyberattack disrupted the Denmark School District in Wisconsin, leaving it without internet access for five school days and forcing teachers and students to switch to paper-based workarounds. District officials did not disclose which systems were impacted or whether any data was compromised. The INC ransomware group claimed responsibility, stating it had stolen 707 GB of data and issuing a six-day deadline for negotiations.

3. Qilin claimed responsibility for a breach of LISI Group, listing the French industrial component supplier on its dark web leak site. The company, which supplies parts to Airbus and Boeing, confirmed it experienced a cyber incident but stated that its impact was limited in scope. Samples released by the attackers reportedly include screenshots of bank transfers, sales plans, business documents, bank account details, and other sensitive files.

4. Anubis ransomware group claimed responsibility for a cyberattack on AkzoNobel, a global paints and coatings manufacturer, involving a breach at one of its U.S. sites. The attackers reportedly exfiltrated around 170GB of data, including sensitive information such as employee details, passport scans, internal documents, and client agreements. AkzoNobel confirmed the incident, stating it was contained and limited in scope, while investigations and notifications to affected parties are ongoing.

5. Community Health Action of Staten Island has notified certain individuals of a cybersecurity incident that may have involved unauthorized access to, or theft of, sensitive data. The breach notice offered limited details, confirming only that information such as names, Social Security numbers, and other personal data may have been affected. The Genesis ransomware group claimed responsibility, stating it exfiltrated around 200,000 records, including sensitive personal and medical data. According to the group, this includes approximately 60,000 records from HIV-tested patient databases, along with HIPAA-protected information and employee data.

6. QualDerm Partners recently disclosed additional details surrounding a December 2025 cyberattack, confirming that more than 3.1 million individuals were affected. The breach involved unauthorized access to parts of its network and the exfiltration of highly sensitive data, including personal information, medical records, treatment details, and health insurance data. Notification efforts are now underway, with impacted individuals being informed of the potential exposure. No known ransomware group has claimed the attack.

7. West Virginia law firm Katz Kantor Stonestreet & Buckner (KKSB) disclosed a data breach involving potential exposure of sensitive personal information. According to a notice on its website, the firm detected suspicious activity on its network and initiated an investigation, which confirmed that data such as names, Social Security numbers, and driver’s license details had been accessed. The Kairos ransomware group claimed responsibility alleging it exfiltrated approximately 700 GB of data.

8. 12,655 individuals have been notified of a data breach stemming from an August 2025 incident involving the Children’s Council of San Francisco. The breach notice did not clarify whether any of the compromised data related to children. Two weeks after the attack, the SafePay cybercriminal group claimed responsibility via its leak site, demanding an undisclosed ransom within 24 hours in exchange for deleting the stolen data. It remains unclear whether the organization engaged with the attackers.

9. Nephrology Associates Medical Group has begun notifying patients of a cyberattack and data breach initially identified in May 2025. The organization detected suspicious activity on its network and took steps to secure its systems and limit further unauthorized access. An investigation later confirmed that a third party had accessed the network and exfiltrated files containing patient information, including names, medical and health data, as well as billing and payment details.

10. Valley Radiology Consultants Medical Group announced a security incident and data breach that was first identified in September 2025. Immediate action was taken to secure its network, and third-party cybersecurity experts were engaged to determine the nature and scope of the unauthorized activity. An investigation confirmed unauthorized access to its network and file containing patient information. 

11. LHT Holdings recently detected a cybersecurity incident involving unauthorized access to parts of its network, which led to the encryption of certain systems. The company quickly isolated affected systems, engaged external cybersecurity specialists, and notified the relevant authorities. Preliminary findings suggest the incident was contained, with no evidence that personal or confidential data was accessed. However, the INC ransomware group claimed responsibility, publishing a number of documents on its leak site to support its claims.

12. Dutch plastic recycler Cabka identified a cybersecurity incident impacting portions of its IT systems. Upon detection, the company isolated affected systems and engaged external cybersecurity experts to carry out a forensic investigation, which remains ongoing. Play ransomware group claimed responsibility for the attack, issuing a four-day deadline for negotiations.

13. ShinyHunters listed Woflow on its dark web blog, threatening to release stolen data on March 6 if its demands were not met. The group claimed to hold hundreds of millions of records containing personal information, transaction data, and other internal corporate materials, although no sample data was provided. Woflow has not publicly confirmed or responded to these claims.

14. The City of Seal Beach, California, reported detecting unusual activity within its network. Officials stated that the environment was secured upon discovery and an investigation was initiated, though no further details have been released due to the ongoing nature of the case. Qilin ransomware group claimed responsibility, posting screenshots of alleged stolen documents on its dark web leak site, but did not specify the volume or type of data involved.

15. Qilin claimed to have breached Tennessee Valley Electric Cooperative (TVEC), based in Savannah, Tennessee. However, the group’s dark web post did not include details about the alleged attack or any data obtained, and no supporting evidence was provided. TVEC has not yet publicly responded to these claims.

16. The Warren County Sheriff’s Office in Kentucky confirmed it has notified an undisclosed number of individuals following a data breach identified in December 2025. An investigation into suspicious network activity determined that cybercriminals had accessed and exfiltrated data, including names, Social Security numbers, driver’s license details, and health insurance ID numbers. RansomHouse claimed responsibility, alleging it stole 743 GB of data, including weapons license records and “videos and investigative materials purportedly showing abuse of authority by officers.”

17. Universal Mailing Services (UMS) was reportedly targeted in a cyberattack claimed by the Securotrop ransomware group. The attackers allege that approximately 490 GB of data was exfiltrated, including around 500,000 documents that were later published on their leak site. According to their claims, the stolen data contains sensitive information relating to both employees and clients.

18. Australian fashion brand Helen Kaminski was reportedly targeted in a ransomware attack claimed by the Play group. According to the group’s dark web listing, the attackers allege they exfiltrated sensitive corporate data, including client documents, payroll information, financial and tax records, and identification data. A three-day deadline for negotiations was issued, although no evidence was provided to support the claims.

19. Ericsson’s U.S. subsidiary reported that data belonging to more than 15,000 employees and customers was compromised following a breach at one of its service providers. According to the company, the provider responsible for storing personal data identified the incident in late April 2025, triggering an investigation into its scope and impact. The exposed information is understood to include personal data, financial details, and medical information.

20. A manufacturer of smart electric vehicle chargers, ELECQ has warned customers that their personal data may have been compromised in a ransomware attack that encrypted and exfiltrated information from its cloud systems. The company detected unusual activity on its AWS platform and determined that parts of its infrastructure had been targeted. ELECQ stated that no financial data was affected by the incident. No known ransomware group has claimed responsibility for this incident.

21. Ransomware group Genesis added the City of Hart in Michigan to its leak site, claiming to have stolen 300 GB of data. City officials stated that the city responded to an IT incident involving unauthorized access to a limited portion of its network. An investigation into the incident remains ongoing, limiting the information that can be publicly shared. Genesis gave the city less than six days to meet its undisclosed ransom demands before data was published. 

22. In Pennsylvania, the Community College of Beaver County was impacted by a ransomware attack that resulted in the encryption of all its data. The incident came to light when the IT department discovered the college had been completely locked out of its systems and received a ransom note from the attackers. The administration has since been working with its insurance provider to help identify the threat actors and explore options to restore access before considering any ransom payment.

23. Wagon Mound Public Schools took its internet and networked systems offline after the superintendent informed families that a virus had disrupted access across the network. The district notified its insurance provider and began recovery efforts to restore systems. In early March, the Interlock group listed the district as a victim, claiming to have exfiltrated 80 GB of data, including staff and student information. The district has not publicly addressed these claims.

24. The Independent Public Regional Hospital in western Poland was forced to revert to paper-based processes following a cyberattack that impacted its IT systems. Hospital officials confirmed the incident temporarily disrupted digital operations, although patient care was not affected. It remains unclear whether any data was exfiltrated, and no ransomware group has claimed responsibility for the attack.

25. Approximately 90,000 individuals were affected by a ransomware attack on the National Association on Drug Abuse Programs (NADAP), attributed to the Genesis group. The incident, which occurred in late January 2026, involved the compromise of protected health information and personally identifiable data relating to clients and associated individuals. Genesis later claimed responsibility in March, alleging it exfiltrated 2 TB of data, including medical records and HR files, and provided an extended justification for targeting the nonprofit organization.

26. Lehigh Carbon Community College was forced to close following disruption to its IT systems caused by a ransomware attack. The disruption impacted the school’s network and school operations. A forensic investigation into the incident remains ongoing. Medusa claimed responsibility for the attack, posting a $100,000 ransom demand in exchange for an undisclosed amount of exfiltrated data. 

27. SafePay listed NSW-based dental practice Smile Team Orthodontics on its dark web leak site in mid-March, publishing documents allegedly obtained during the breach. The exposed data includes staff directories and personal details such as addresses and emails, as well as medical certificates, training and certification records, and hundreds of DentiCare patient payment plans. Additional internal documents and some patient treatment histories were also disclosed. Smile Team confirmed it experienced a cyber incident that resulted in unauthorized access to parts of its IT systems.

28. A cyberattack targeted ASB Saarland, a German humanitarian and social services organization, after attackers gained access to one of its servers containing sensitive data. According to the organization, the compromised system held personal information relating to current and former employees, applicants, and clients, including employment records, contact details, and in some cases health-related information. The affected server was quickly isolated and forensic investigations were launched, with authorities notified. Operations such as emergency services and patient care continued without disruption. Qilin claimed responsibility for the attack, allegedly stealing 72 GB of data and adding proof of claims documentation to its dark web leak site. 

29. MetroWest Community Federal Credit Union, a U.S.-based financial institution, reported that a data breach identified in September 2025 exposed the personal and financial information of more than 20,000 customers. The organization detected unauthorized access to certain systems, which allowed attackers to obtain sensitive customer and banking data. Akira ransomware group claimed responsibility, alleging it exfiltrated 294 GB of corporate data, including employee personal, financial, and employment records, as well as client files and non-disclosure agreements.

30. LockBit claimed responsibility for a cyberattack targeting the Alcorn School District in Mississippi. In response to suspicious activity that disrupted its systems, the district shut down its network. The group has reportedly issued a two-week deadline for the district to pay an unspecified ransom. The extent and type of any data exfiltrated remain unknown at this time.

31. A database purportedly linked to SUCCESS Magazine, containing over 141,000 subscriber records, has appeared on a cybercrime forum. The exposed data is said to include detailed customer information tied to the publication’s subscription and retail systems. Sample records indicate data such as names, email addresses, phone numbers, and physical mailing addresses was compromised. The party responsible for the incident has not yet been confirmed.

32. England Hockey, the national governing body for field hockey in England, is investigating a suspected data breach after being listed as a victim on the AiLock ransomware group’s leak site. The group claims to have exfiltrated 129 GB of data and has threatened to release the files unless an undisclosed ransom is paid. While England Hockey has acknowledged the incident, it stated that no further details can be shared at this stage due to the ongoing investigation.

33. Handala has claimed responsibility for a cyberattack against New York-based payment device manufacturer Verifone. The group alleged that the breach caused significant disruption to payment systems and terminals, and that all associated transaction and financial data was exfiltrated. Verifone has denied these claims, stating it found no evidence of any such incident and that its services have remained fully operational for customers.

34. DragonForce has released a batch of stolen documents on the dark web, allegedly obtained during a ransomware attack on Australian poultry producer Hazeldenes. The group claims to have exfiltrated 78.78 GB of data from the company. Hazeldenes launched an investigation into the mid-February incident and has since confirmed that data was indeed exfiltrated. The company stated that the affected information appears to be largely limited to historical operational and corporate data.

35. Telus Digital, a Canadian business process outsourcing firm, has confirmed it experienced a security incident after the ShinyHunters group claimed to have stolen nearly 1 petabyte of data over several months. The group alleged that the compromised data includes extensive customer information tied to Telus’ BPO services, as well as call records from its telecommunications division, and has reportedly attempted to extort the company. However, Telus Digital stated it is not engaging with the threat actors. While acknowledging the incident, the company added that its operations have remained fully functional, with no evidence of any disruption to service connectivity.

36. Andorra’s Pyrénées Group has confirmed that a ransomware attack led to unauthorized access to certain internal records and customer data. The company stated that cybersecurity experts successfully contained the incident, identified its source, and restored full operations. The affected data includes names, email addresses, and, in some cases, payment information. The Akira ransomware group has claimed responsibility, alleging it exfiltrated 263 GB of data. Pyrénées Group also confirmed that it did not pay any ransom to the attackers.

37. A class action lawsuit has been filed against Nelson Worldwide following a ransomware attack that allegedly exposed employee information. The Chaos ransomware group claimed to have breached the company’s systems, exfiltrating 400 GB of data, including sensitive employee records. The group reportedly threatened to release the full dataset unless the company engaged in negotiations. Nelson Worldwide has not publicly responded to these claims.

38. Loblaw Companies Limited, Canada’s largest food and pharmacy retailer, has notified customers of a cyberattack that led to the compromise of certain data. After detecting suspicious activity within a limited, non-critical segment of its network, the company determined that an unauthorized third party had accessed some basic corporate information. The group responsible for the incident has not yet been identified.

39. INC ransomware group has reportedly breached systems belonging to Hawk Law Group. The group listed the firm on its leak site, publishing a selection of documents as proof of its claims. Reports indicate that the compromised data may include clients’ personal information, such as government-issued identification and case-related details. Hawk Law Group has not yet issued a public statement regarding the incident.

40. Tieu Dental Corporation in California has begun notifying patients of unauthorized access to its computer systems that occurred last summer. The intrusion was detected in late July 2025, and a subsequent forensic investigation confirmed that the compromised files contained patient information, including names, medical records, and health insurance details. The total number of individuals affected by the breach has not yet been determined.

41. JEAN Group reported a cyberattack on its information systems that caused temporary disruption. The company stated that its security team promptly implemented defensive and recovery measures, while external cybersecurity experts were brought in to support the response. Initial assessments indicate no material impact on operations or financial performance. The LockBit ransomware group has claimed responsibility, reportedly giving the manufacturing firm a two-week deadline to pay an undisclosed ransom.

42. A ransomware attack targeted the DeKalb County Sheriff’s Department in Tennessee, disrupting its email and inmate booking systems. The department’s main server was affected, though it remains unclear what other systems may have been impacted. A third-party firm has been engaged to assess the incident and support data recovery efforts as the investigation continues.

43. Hudson River Housing has disclosed a data breach that occurred in March 2025, resulting in the compromise of personal information. A recently concluded investigation found that certain files containing sensitive data were accessed and may have been exfiltrated by an unauthorized actor. The Rhysida ransomware group claimed responsibility soon after the incident, posting sample images on its leak site as proof. The group reportedly demanded a ransom of $744,000.

44. Meadowlark Hills, a non-profit retirement community in Kansas, has reported a breach affecting the protected health information of 14,442 individuals. The organization detected unauthorized access to its network in mid-July 2025, and a subsequent forensic investigation determined that files containing personal and health data were exfiltrated. The compromised information includes names, government-issued identification, financial account details, and medical records. Beast ransomware group claimed responsibility, alleging it exfiltrated 750 GB of data.

45. MedPeds Associates of Sarasota has notified 21,430 individuals of a data breach involving personal and protected health information. The organization detected unauthorized access to its systems in September 2025, during which ransomware was used to encrypt files. A subsequent review determined that the affected data included names, dates of birth, contact details, and medical records. Beast ransomware group claimed responsibility, alleging it exfiltrated 400 GB of data.

46. Medusa ransomware group claimed responsibility for a cyberattack on Passaic County, New Jersey. The group who reportedly demanded an $800,000 ransom with a 16-day deadline, published samples of allegedly stolen documents on its dark web leak site. Passaic County confirmed it experienced an attack affecting its IT systems and phone lines and has engaged federal and state authorities to assist with the investigation and containment efforts.

47. Health Dimensions Group reported a data breach impacting 450 individuals. The organization who became aware of the incident in October 2025, initiated its incident response procedures, and engaged cybersecurity specialists to conduct an investigation. The review determined that certain files were accessed and exfiltrated, containing information related to independent contractors. Worldleaks group has claimed responsibility and has published the stolen data.

48. Cedar Valley Services in Minnesota has confirmed that a data incident resulted in the exposure of individuals’ protected health information. Limited details about the incident have been made public. Qilin claimed responsibility in December 2025, listing the organization on its leak site and sharing screenshots of data allegedly obtained during the attack.

49. ShinyHunters cybercrime group claimed responsibility for a recent data extortion attack against Aura, a U.S.-based digital security firm, which the company confirmed resulted in the compromise of at least 900,000 records. The breach stemmed from a targeted voice phishing attack that enabled unauthorized access to an employee account for a short period, during which the threat actor exfiltrated a large dataset primarily consisting of names and email addresses.  ShinyHunters alleged it stole additional corporate data and attempted to extort Aura by threatening to publish the information after failed negotiations.  Aura stated that highly sensitive data such as Social Security numbers, passwords, and financial information were not compromised, and that its core systems remained secure despite the incident.

50. INC claimed responsibility for a cyberattack on Namibia Airports Company (NAC), alleging it exfiltrated nearly 500 GB of data. NAC confirmed that it detected a cybersecurity incident impacting certain IT systems, involving unauthorized access to network infrastructure and administrative accounts. The organization stated that there is currently no evidence of data exfiltration, although investigations remain ongoing to determine the full extent of the incident.

51. Foster City, California was forced to suspend all public services, except for emergency operations, following a ransomware attack. The city manager declared a state of emergency as a result of the disruption. Officials warned that public information may have been compromised and advised individuals who have interacted with the city to update their account passwords. The incident left city services offline for a week. No threat group has claimed responsibility for the attack at this time.

52. A dataset allegedly linked to Russell Cellular, a major U.S. wireless retailer, containing more than 6.3 million customer records, is being offered for sale online for $1,200. Advertised on a well-known hacker forum, the 61 GB dataset includes 209 database tables. The seller claims the data contains a broad range of sensitive customer and employee information. It is not yet clear whether the data originated from Russell Cellular’s internal systems or from a third-party service provider connected to its operations.

53. Navia Benefit Solutions has notified individuals impacted by a cyberattack that occurred in December 2025. The compromised data reportedly includes names, contact details, and Social Security numbers. According to the breach notice, approximately 2,697,540 individuals were affected, with the incident stemming from unauthorized access to Navia’s network over the course of a month. The party responsible for the attack has not yet been identified.

54. Worldleaks ransomware group has claimed responsibility for a cyberattack on Los Angeles Metro that led to system disruptions. According to local media, unauthorized activity was detected on Metro’s internal systems, prompting restricted access and impacting station arrival displays. Despite the disruption, rail and bus services continued to operate as normal, and no customer or employee data was reported to be affected. Worldleaks alleged it exfiltrated 159.9 GB of data, publishing three screenshots on its leak site as proof of claims.

55. Westport Fuel Systems reported detecting unauthorized access to portions of its network, which impacted certain internal IT business applications as well as some business and employee information. The company noted that its manufacturing systems were not affected. An investigation into the incident is ongoing. Embargo ransomware group claimed responsibility, alleging it exfiltrated 1.8 TB of data from the organization.

56. Handala group claimed responsibility for a cyberattack targeting Lockheed Martin, alleging it exfiltrated 375 TB of data from the aerospace and defense firm. The group asserts that the stolen information includes sensitive materials such as F-35 aircraft blueprints and other corporate data. It has also issued further demands exceeding $400 million in exchange for not selling the data to U.S. adversaries. A Lockheed Martin spokesperson acknowledged that the company is aware of the claims.

57. In the Philippines, a reported cybersecurity incident involving the Department of Public Works and Highways (DPWH) is under investigation following claims of data exfiltration posted on the dark web. Bashe (APT73) ransomware group listed the agency on its leak site, alleging it had stolen 50 GB of data, including internal documents, emails, financial records, and personal information. However, initial findings from the investigation indicate there is no evidence that any files were accessed or exfiltrated from DPWH’s internal systems.

58. Semiconductor testing firm Trio-Tech International identified a cyberattack in mid-March that resulted in the encryption of files across its network. In response, the company took affected systems offline and engaged cybersecurity specialists to manage the incident. The breach also led to the unauthorized exposure of certain company data. The Gunra ransomware group claimed responsibility, although it did not specify the volume of data allegedly exfiltrated.

59. The Lapsus$ group claimed responsibility for a significant data breach involving global biotechnology and pharmaceutical company AstraZeneca, alleging the theft of 3 GB of sensitive intellectual property. The stolen data reportedly includes application source code, private cryptographic keys, authentication tokens, Vault credentials, and Terraform configurations for AWS and Azure environments. The group shared previews of the data, including screenshots, on dark web forums and invited interested buyers to pay for access to the repositories. AstraZeneca has not commented on the claims.

60. DragonForce ransomware group has allegedly breached Conrad Capital’s servers, claiming to have stolen clients’ personal and financial information. The group states it exfiltrated 74.23 GB of data and issued a five-day deadline for the finance company to enter negotiations. Conrad Capital has not yet publicly responded to the claims made by DragonForce.

61. SATS AS, a training and fitness service provider, has identified unauthorized access to parts of its IT systems, resulting in a data breach. After detecting the incident, the company acted quickly to remove the intruders, contain the breach, and prevent further unauthorized access. External cybersecurity experts have been engaged to assess the full scope and impact. Preliminary findings suggest that the compromised data includes internal administrative documents, as well as personal information relating to a group of employees. The Gentlemen ransomware group has claimed responsibility for the attack.

62. Infinite Campus has notified customers of a data breach following an extortion attempt by the ShinyHunters group. According to notification letters, the incident stemmed from unauthorized access to an employee’s Salesforce account. The attackers reportedly set a March 25 deadline for the company to initiate negotiations to prevent the release of stolen data; however, Infinite Campus stated it will not engage with the threat actors. ShinyHunters claims the stolen data includes Salesforce records containing personally identifiable information and internal corporate data, though the company maintains that its investigation found no evidence that customer databases were accessed.

63. Duffy’s Sports Grill was impacted by a ransomware attack attributed to the Qilin group, which disrupted its internal systems and operations for at least a week. The incident affected both customers and staff, with several locations unable to process credit card payments, and the company’s MVP loyalty program also experiencing outages. The ransomware group did not specify how much data may have been accessed during the attack.

64. Mazda Motor Corporation recently disclosed that a December 2025 cyberattack led to the exposure of data belonging to employees and business partners. An internal investigation found that attackers exploited vulnerabilities in the company’s warehouse management system, resulting in unauthorized access to a portion of the data stored within it. A total of 692 records were accessed, none of which involved customer information. The compromised data includes names, email addresses, company names, user IDs, and business partner IDs. The Clop ransomware group claimed responsibility for the incident in November 2025. 

65. Kaplan, a Florida-based education services company, has disclosed that a cybersecurity incident late last year resulted in the exposure of sensitive personal information belonging to at least 230,000 individuals. Unauthorized actors accessed files containing names, Social Security numbers, and driver’s license numbers. No threat group has claimed responsibility for the incident.

66. NYC Health + Hospitals Corporation has disclosed that personally identifiable information and protected health information were exposed in a data security incident. Suspicious activity was detected within its network in early February, prompting an immediate response and the launch of an investigation. Findings revealed that an unauthorized third party had access to the network for nearly 11 weeks. To date no ransomware group has claimed responsibility. 

67.  ShinyHunters listed Ameriprise Financial as a victim, threatening to release allegedly stolen data if a ransom is not paid. The group also warned that the data leak would be accompanied by “several annoying (digital) problems.” It claims to possess Salesforce records containing personally identifiable information, along with more than 200 GB of compressed internal SharePoint data. Ameriprise Financial has not yet publicly responded to these allegations.

68. Aroostook Mental Health Center (AMHC), a major behavioral healthcare provider in Maine, was recently targeted in a ransomware attack attributed to Qilin. The incident caused network disruption that impacted some business operations and connectivity, prompting the organization to engage external cybersecurity specialists to investigate and respond. Qilin added AMHC to its dark web leak site and claimed to have obtained data, reportedly issuing threats to publish it if negotiations were not initiated. AMHC has stated it is not engaging with the threat actors, and while the investigation remains ongoing, the organization has not confirmed whether any sensitive data was accessed or exfiltrated.

69. A newly emerged ransomware group known as ALP-001 claimed responsibility for a cyberattack against Chinese surveillance technology giant Hikvision. The group listed the company on its dark web leak site, alleging it exfiltrated approximately 19.9 TB of data from internal systems.  The threat actors warned they would release the stolen data in stages if their demands were not met, though no specific ransom amount has been disclosed.  At this stage, the claims remain unverified, as sample data links provided by the attackers were reportedly non-functional, and Hikvision has not publicly commented on the incident.

70. Spain’s Port of Vigo was hit by a ransomware attack that disrupted key digital systems used for cargo management and logistics coordination. The incident led authorities to isolate affected servers and disconnect parts of the network, forcing port operations to rely on manual, paper-based processes while systems remained offline. Despite the disruption to digital services, physical operations such as ship movements and cargo handling continued. A ransom demand was reportedly issued, though no threat group has publicly claimed responsibility. Investigations are ongoing to determine the cause and full scope of the incident, with no confirmed timeline for full system restoration.

71. St Anne’s Catholic School in Southampton was recently forced to close after a ransomware attack disrupted its IT systems. Threat actors gained access to the school’s network, impacting access to systems and temporarily halting teaching and learning activities. The school’s IT team acted quickly to contain the incident and prevent further spread, while reporting the breach to authorities including the Information Commissioner’s Office, the National Cyber Security Centre, and the police. Details surrounding the method of intrusion and any potential data compromise remain limited, with investigations ongoing.

72. Viva Ticket, a global ticketing and event management platform used by major museums, theme parks, and live events, was recently impacted by a ransomware attack that disrupted services across its network. The incident affected an estimated 3,500 partner organizations worldwide, including high-profile venues, and led to outages in online booking and ticketing systems.  While investigations are ongoing, reports indicate that certain customer data, such as names, email addresses, and purchase details, may have been exposed. There is currently no evidence that payment or banking information was compromised.  The attack has been linked to a ransomware operation, with some sources attributing it to the RansomHouse group, although full details of the breach and its impact are still being assessed.

73. Goodwill Industries of North Central Pennsylvania was recently listed as a victim by the Interlock ransomware group, who claims to have exfiltrated approximately 80 GB of data from the nonprofit organization. The group alleges that the stolen data includes personal information and financial documents related to employees and partners and has published the organization on its dark web leak site as proof of the breach. Reports indicate that the incident may be linked to wider system disruptions affecting some Goodwill operations, though details remain limited. At this time, Goodwill has not publicly confirmed the full extent of the breach, and investigations are ongoing to determine the scope and impact of the incident.

74. ShinyHunters has claimed responsibility for an attack targeting ZenBusiness, a U.S.-based business services platform. The group alleges it exfiltrated “several terabytes” of data from the company, reportedly obtained through access to cloud-based platforms such as Salesforce, Snowflake, and Mixpanel.  ShinyHunters issued a deadline for the company to initiate negotiations, warning that failure to comply would result in the public release of the stolen data along with additional disruptive actions.  While the exact nature of the compromised information has not been confirmed, sources suggest it could include internal corporate data and potentially personally identifiable information related to customers and employees. ZenBusiness has not publicly commented on the claims at this time.

75. Private healthcare provider IntraCare in New Zealand was recently impacted by a cyber breach that forced the organization to take its IT systems offline and defer at least 28 patient procedures. The incident disrupted operations and limited the provider’s ability to access patient records and contact affected individuals. In response, IntraCare engaged external cybersecurity experts, notified authorities, and launched a forensic investigation to determine the scope and impact. The Gentlemen ransomware group claimed responsibility for the attack.

76. Vantage Plastic Surgery disclosed a security incident involving unauthorized access to the protected health information of approximately 4,600 current and former patients. An investigation confirmed that patient data was exposed, with a review revealing that the compromised information included names, addresses, phone numbers, dates of birth, and medical record details.

77. Multinational communications and digital marketing firm Hightower Holdings has disclosed a significant data breach affecting 131,483 individuals. The company reported that unauthorized access to its network occurred in early January, enabling threat actors to obtain customers’ personal information. The compromised data includes names and Social Security numbers. No known ransomware group has claimed responsibility for the incident.

78. The Jackson County Sheriff’s Office in Indiana was recently hit by a ransomware attack that severely disrupted its operations, rendering its entire computer network, including PCs, Wi-Fi, and reporting systems, unusable. The incident, believed to have originated from a malicious email, forced the department to shut down systems and begin rebuilding its IT infrastructure from scratch. Law enforcement operations were significantly impacted, with officers reverting to manual processes and dispatch services temporarily relocated to another police department. Officials confirmed that no ransom would be paid.

79. Stockton Cardiology Medical Group has begun notifying patients of a recent security incident in which files containing patient information were accessed. The compromised data includes names, contact details, and billing records that may contain limited medical information. The Genesis ransomware group claimed responsibility, alleging it exfiltrated and published the 645 GB of data stolen information in mid-February.

80. Monmouth University in New Jersey was recently targeted in a ransomware attack claimed by the PEAR ransomware group. The threat actor alleges it exfiltrated up to 16 TB of data from the university’s systems and has posted sample materials as proof on its leak site.  The university confirmed that the incident involved unauthorized access to certain information on its network and has engaged cybersecurity experts and notified law enforcement to investigate.  While PEAR has threatened to release the stolen data if demands are not met, the full scope of the breach and the nature of the compromised information remain under review, with no confirmed operational disruption reported.

81. Omax Autos Limited confirmed that it was targeted in a ransomware attack affecting its IT infrastructure. The company stated that while unauthorized activity was detected and the incident has been verified, its core systems and manufacturing operations have not been impacted. Omax Autos has launched an investigation to assess the extent of any potential damage or data exposure and is implementing remedial measures to strengthen its cybersecurity posture. The full scope and impact of the incident remain under review.

82. Panama’s Social Security Fund (CSS) activated a contingency plan following a suspected cyberattack that affected parts of its digital infrastructure. The organization reported disruptions to its web services and quickly implemented response measures to contain the incident and maintain operations. The Gentlemen ransomware group has claimed responsibility for the attack. While details remain limited, CSS stated it is continuing to assess the potential impact and restore full functionality, with investigations ongoing.

83. Statistics South Africa (Stats SA) has reportedly been targeted in a ransomware attack that may have exposed large volumes of sensitive data. The agency confirmed the incident, while threat actors identified as the XP95 ransomware group claimed to have exfiltrated over 450,000 files totalling approximately 154 GB, including data from internal systems such as HR records. The group allegedly demanded a ransom of around $100,000 in exchange for not releasing the data. Sample files were posted on its leak site as proof of its claims.

84. Bangladesh’s largest supermarket chain, Shwapno, was listed on LockBit’s leak site in mid-March, with the group releasing more than 410 GB of data on the dark web. The exposed files reportedly include customer names, phone numbers, purchase histories, supplier information, contracts, bank deposit records, HR documents, and internal policies. The incident follows a separate ransomware claim made by the Qilin group approximately seven months earlier.

85. Woodfords Family Services has notified authorities of a ransomware attack in 2024 that resulted in the breach of personal and protected health information of 8,073 individuals. Suspicious activity was first identified in April 2024, with a comprehensive internal review only concluding in late January 2026. Medusa ransomware group claimed responsibility for the attack shortly after it occurred.

86. U.S.-based healthcare technology provider CareCloud, disclosed a cybersecurity incident involving unauthorized access to one of its electronic health record (EHR) environments. The attack caused a temporary network disruption lasting approximately eight hours, affecting the functionality and data access of part of its CareCloud Health platform. The company confirmed that an unauthorized third party gained access to systems containing patient information, though it is still assessing whether any data was accessed or exfiltrated. CareCloud engaged external cybersecurity experts, notified authorities, and has since restored all affected systems. At this time, no ransomware group has claimed responsibility, and the full scope and impact of the incident remain under investigation.

87. XP95 ransomware group has claimed responsibility for a cyberattack on the Gauteng City Region Academy, alleging it accessed and exfiltrated approximately 147 GB of private and personal data. The group is reportedly demanding a ransom of $100,000 in exchange for not releasing the information. The academy, a Gauteng provincial government entity focused on providing bursaries, internships, and training opportunities for young people, has not publicly responded to the claims.

88. XP95 ransomware group has claimed responsibility for a cyberattack on Eholo Health, a Spanish provider of clinical management software for psychologists. The group alleges it exfiltrated approximately 165 GB of data, including over 1.1 million medical notes and personal information relating to more than 600,000 users. According to XP95, the data was initially intended for sale after the company allegedly refused to pay a $300,000 ransom following several weeks of negotiations but was later released publicly. The exposed data reportedly includes sensitive clinical notes and patient details. Eholo Health has not publicly acknowledged the incident or confirmed whether affected individuals or regulators have been notified.

89. INC ransomware group claimed responsibility for a cyberattack on the City of Meriden, Connecticut, alleging it stole data from municipal systems. The city first reported an “attempted interruption” to its network in February, which caused weeks of service disruptions, including delays to water billing and ongoing issues at city clerk and tax offices. The group later listed Meriden on its leak site and shared sample documents as proof of its claims, though officials have not confirmed the breach or the extent of any data compromise. Investigations remain ongoing, and it is unclear what data, if any, was accessed or exfiltrated.

90. Qilin ransomware group claimed responsibility for a cyberattack targeting U.S.-based chemical manufacturing giant Dow Inc., alleging that it gained access to corporate systems and exfiltrated internal data. The claims have not been independently verified, and details regarding the type or volume of data allegedly compromised have not been disclosed. Dow has not publicly commented on the incident, and the full scope and impact remain unclear.

February recorded 82 publicly disclosed ransomware incidents, with healthcare emerging as the most targeted sector, accounting for 31% of reported attacks. Organizations across 20 countries disclosed incidents during the month, with the United States the most affected with 51 incidents. A total of 24 ransomware groups were linked to publicly claimed attacks, led by Shiny Hunters with eight incidents, followed by Qilin with six. Notably, 41% of attacks were not yet attributed to any known ransomware group.

Find out who made ransomware headlines in February.

1. Nova Biomedical recently eported a data security incident it experienced last year compromised the sensitive personal information of 10,764 individuals. Unauthorized access to internal networks was discovered on December 18, 2025, prompting an investigation to be immediately launched to determine the nature and scope of the incident. The compromised data included names and other personal identifiers including SSNs.

2. According to a notice on its company website, Hosokawa Micron Corporation suffered from a cyber incident in early February. The incident did not impact business operations, but the organization did confirm that electronic files were accessed by threat actors. Everest claimed responsibility for the attack, allegedly stealing 30GB of data. The group’s dark web post also included a number of screenshots of stolen documents, posted as proof of claims.

3. Everest ransomware group claimed to have breached Iron Mountain, a major global data management and storage firm, alleging the theft of around 1.4 TB of internal and client-related information and threatening to publish it if their demands weren’t met. While screenshots of allegedly compromised directories were posted on the group’s dark web leak site, Iron Mountain has stated that the incident was limited to a single folder of marketing materials accessed via a compromised credential and that no ransomware was deployed on its core systems.

4. It was announced that Onze-Lieve-Vrouw Instituut (OLV) Pulhof, a secondary school in Berchem, Belgium, suffered a ransomware attack shortly after the Christmas break. The attack disrupted its internal systems and prompted threats to leak or sell sensitive data relating to students and staff unless a ransom was paid. BitLock, who were reported to be responsible for the incident, initially demanded around €100,000, later lowering it to about €15,000, but the school declined to engage or pay, following guidance from authorities. In a troubling escalation, the threat actors then contacted parents directly, demanding €50 per child and threatening to expose personal information if payments were not made. Belgian prosecutors confirmed an ongoing investigation, and the school has advised parents not to comply with payment requests as it works to secure its systems and assess the impact.

5. INC ransomware group has claimed responsibility for a cyberattack on UK-based management software provider Distinctive Systems. The group added the company to its data leak site, publishing what it says are internal documents and contracts as evidence of the breach. Distinctive Systems confirmed it is investigating a cybersecurity incident that occurred in January and stated that all appropriate notifications have been made at this stage of the investigation.

6. Neurological Associates of Washington confirmed it notified 13,500 state residents of a December 2025 cyberattack which led to a data breach. Data compromised includes names, SSNs, diagnoses, medical information, and other types of personal information. The clinic confirmed that its facilities server that stored medical records was attacked and encrypted. DragonForce took credit for the attack, claiming to have stolen 1.4 TB of data from the clinic. Sample images of allegedly stolen documents were added to DragonForce’s dark web post.

7. Everest ransomware group claimed it had breached internal systems associated with Poly, the enterprise communications business now part of HP Inc., alleging the theft of around 90 GB of internal data and posting screenshots on its leak site as supposed proof. The materials shared appear to show engineering files, code listings and documentation tied to legacy Polycom systems, the brand HP acquired in 2022, rather than current production environments, and there is no independent confirmation that HP’s current networks or customer data were compromised. HP has acknowledged the allegations and said it is investigating, but so far has found no evidence of an active breach or impact to its customer systems.

8. Match Group, the operator of popular dating services including Match.com, Hinge, OkCupid, and Tinder, confirmed it experienced a cybersecurity incident after the threat actor group ShinyHunters claimed to have obtained and posted millions of records and internal files linked to its platforms. Match Group said the unauthorized access was quickly terminated and that it is investigating the matter with external experts, stressing that there is no evidence attackers accessed user login credentials, financial data, or private messages, though a limited amount of user-related information and internal documents were exposed and affected individuals are being notified as appropriate.

9. ShinyHunters claimed it had breached Bumble Inc., alleging the theft of roughly 30 GB of internal data from cloud services such as Google Drive and Slack and posting it on its leak site. Bumble confirmed that a contractor’s account was compromised in a phishing attack, which allowed brief unauthorized access to a limited portion of its systems, but said the incident was quickly contained. The company emphasized that no member database, user accounts, private messages or dating profiles were accessed, and it has engaged external cybersecurity experts and law enforcement to investigate the situation.

10. German insurer HanseMerkur, headquartered in Hamburg, has been listed on DragonForce’s dark web leak site following claims of a ransomware attack in early 2026, with threat actors alleging they exfiltrated nearly 97GB of internal data, including financial documents such as invoices, tax records, and vouchers, as well as possible files linked to partner Emirates Insurance. HanseMerkur has not publicly confirmed the incident or disclosed any operational impact.

11. Maryland-based Lakeside Title Co. is the target of a proposed class action lawsuit following an alleged ransomware attack. The suit claims inadequate data security exposed personally identifiable information of thousands of customers and employees. Play ransomware group claimed responsibility for the attack but did not provide detailed information relating to type of amount of data stolen during the incident.

12. Central Ozarks Medical Center notified 11,818 individuals that some of their personal and protected health information was compromised during a November 2025 cyberattack. The types of information compromised includes names, SSNS, financial account information, medical treatment information, and health insurance information. No further information relating to this attack has been made public.

13. Philippine tech firm Lenotech Corporation was allegedly targeted in a ransomware attack when the Tengu ransomware group listed the company on a dark web leak site, claiming to have exfiltrated around 136 GB of internal data and threatening to publish it if negotiations did not begin. The samples posted reportedly include internal directories and service-related files, but Lenotech has not publicly confirmed the incident.

14. In Denver, Clinic Service Corporation confirmed that it had experienced a hacking incident which led to the exposure of sensitive information. A forensic investigation confirmed that its network had been accessed for a seven-day period in August 2025. Both PII and PHI was compromised during the incident. 82,331 individuals were impacted.

15. Insightin Health announced that it experienced a cyberattack in September 2025 that led to the unauthorized access of patient data. A data review revealed that exposed files included protected health information associated with its clients. Medusa claimed responsibility for the attack and threatened to publish the stolen data. The group claims to have exfiltrated 378 GB of data from the organization.

16. Shiny Hunters claimed responsibility for a November cyberattack on the University of Pennsylvania in Philadelphia. The ransomware group published datasets that it claims contain more than one million records belonging to the university. The university did not specify the exact categories of data involved, stating only that systems related to alumni relations and fundraising had been accessed. During the incident, attackers sent emails to alumni from official university email accounts announcing the intrusion.

17. Shiny Hunters also published datasets of more than one million files allegedly belonging to Harvard University. The university confirmed that it had suffered a cyberattack in November which compromised its alumni systems. Attackers used phone calls to trick individuals into clicking malicious links or opening harmful attachments. Harvard confirmed that exposed information included contact information, donation details and other biographical data connected to alumni engagement and fundraising activities.

18. Customers of newsletter platform Substack were warned that email addresses, phone numbers and other metadata were leaked in a recently discovered data breach. The platform stated that it discovered a problem within its systems in early February that allowed an unauthorized third-party to access limited user data. Credit card numbers, passwords and other financial data were not leaked. The statement made by the company followed an unknown hacker claiming to have stolen personal information of about 700,000 users.

19. Beacon Mutual Insurance Company confirmed it was the victim of a cyberattack in January. A notice was posted on the organization’s website following requests for comments prompted by Beacon’s appearance on ransomware tracking websites. It was confirmed that the company’s production environment was not involved in the incident, but that the company’s network was disconnected as a preventative measure. INC took responsibility for the attack, claiming to have pilfered 275 GB of highly sensitive internal data from Beacon, adding screenshots to its leak site as proof of claims.

20. Romania’s national oil pipeline operator Conpet confirmed it was hit by a cyberattack that disrupted its corporate IT systems and took its public website offline while its core pipeline operations continued unaffected. The company said it is investigating the incident with national cybersecurity authorities and has filed a criminal complaint with the Directorate for Investigating Organized Crime and Terrorism (DIICOT). Although Conpet has not disclosed technical details of the breach, the Qilin ransomware group has claimed responsibility, listing the operator on its dark web leak site and alleging the theft of nearly 1 TB of internal documents, including financial records and passport scans.

21. Lynx took credit for a cyberattack on Lakelands Public Health in Ontario, Canada. The incident caused some programs and services to experience temporary outages. LPH was unable to give details about the attack due to the ongoing nature of the investigation. Lynx claims to have stolen confidential information, posting sample images of alleged stolen documents on its leak site.

22. Sapienza University of Rome, one of Europe’s largest universities with around 120,000 students, suffered a major cyberattack that forced its IT infrastructure offline for several days, disrupting access to key services such as exam booking, email and administrative systems. University officials shut down network systems as a precaution while a technical task force, supported by Italy’s National Cybersecurity Agency and law enforcement, worked to restore services from unaffected backups. It is not clear who is responsible for this attack, but reports stated that a link was sent to the university demanding a ransom and giving a 72-hour deadline to pay.

23. In Australia, Epworth HealthCare was allegedly breached by 0APT ransomware group, who is claiming to have stolen 920 GB of data from the healthcare providers. The hackers leak post states that the stolen data includes surgical records, patient names, and billing details. The ransomware group stated that it was actively negotiating with Epworth but that the involvement of any external parties would result in an immediate sample leak to local media. However, Epworth has said that it has found no evidence of a breach.

24. The Jefferson Blout St. Claire Mental Health Authority in Alabama notified 30,434 people of a November 2025 data breach. It is believed that the stolen data, which includes both PII and PHI, was collected by JBS Mental Health between 2011 and 2025. Medusa took credit for the breach and demanded a $200,000 ransom to destroy 168.6 GB of stolen data. To prove its claim, Medusa posted sample images of what it says are documents from JBS’s servers.

25. DOCS Dermatology Group disclosed a security incident that was identified in late-November 2025. An investigation determined that an unauthorized third-party had access to its networks over a seven-day period, during which data was compromised. Although the data review remains ongoing, DOCS has determined that compromised data includes PII, PHI and billing information. It is not known who is responsible for this attack or how many people have been impacted.

26. A total of 3,722 clients of the Center of Neuropsychology and Learning in Michigan were affected by a data breach following unauthorized access to one of the organization’s servers. The intrusion was discovered in November 2025, and a subsequent forensic investigation found that the server had been accessed in late October. The compromised system stored protected health information, though it did not contain highly sensitive data.

27. BridgePay Network Solutions, a major U.S. payment gateway provider, confirmed it was hit by a ransomware attack that knocked its systems offline and triggered a widespread outage affecting merchants, municipalities and other organizations that rely on its infrastructure for processing card payments. The incident, first detected on February 6, disrupted core services including APIs, virtual terminals and hosted payment pages, forcing some businesses to resort to cash-only transactions while services were unavailable. BridgePay engaged federal authorities along with external forensic and recovery teams, and said initial investigations show no payment card data was compromised despite files being encrypted. Restoration efforts are ongoing with no clear timeline for full recovery as the company works to securely bring systems back online.

28. CoinbaseCartel added Dolby Laboratories, a major US tech corporation, to its dark web blog. The ransomware group did not provide any data samples or information relating to the breach. Dolby has not commented on the alleged breach.

29. WindRose Health Network informed certain patients of a security incident discovered in August 2025 involving unauthorized access to parts of its network. The affected systems contained both personal information and protected health information. While the specific data involved differs by individual, the organization believes that approximately 691 individuals were impacted by the breach.

30. In New Hampshire, Cottage Hospital detected unauthorized access to its computer network. A forensic investigation determined that hackers had access to a single file server in October 2025. The hospital confirmed that files had been exfiltrated in the incident. The impacted server contained current and former employees’ names, SSNs, driver’s license numbers, and potentially bank account information. 2,156 individuals were affected by the incident.

31. IT management software company SmarterTools fell victim to a ransomware attack through an unpatched instance of its SmarterMail email server. The attack impacted the company’s office network and data center hosting quality control testing systems, SmarterTool’s portal, and its Hosted SmarterTrack network. Hackers compromised the mail server and moved laterally to the Windows servers on the data center, compromising 12 of them. Reports suggest that Warlock ransomware group was responsible for the attack.

32. 1,800 individuals were affected by a data breach at Pit River Health Service in California. An unauthorized third-party hacked its systems and copied data. The healthcare provider confirmed that no data was altered or deleted in the attack. As a result of the incident, some patient services were delayed. It is not known who is responsible for the attack.

33. Brush manufacturer Trisa was targeted by Lynx ransomware group, who claimed to have exfiltrated over 1 TB of information. Trisa confirmed the incident, stating that the attacker had managed to infiltrate “clearly defined and strictly limited” areas of its IT systems for a short time. According to the company, less than one percent of the company’s data was copied. The company filed a criminal complaint following the incident.

34. Following a ransomware attack on Senegal’s Directorate of File Automation, the government department suspended operations and shut down services tied to national ID cards, immigration, and other biometric data. A senior police official stated that authorities were working to restore affected systems and that the integrity of citizen’s personal information remains intact. Green Blood Group claimed to have breach the agency and exfiltrated 139 GB of data. The group claims that stolen materials include database records, biometric information, and immigration documents. Sample files were released to support the claim.

35. Pecan Tree Dental confirmed that it experienced a cybersecurity incident involving unauthorized access to its computer systems. A notice on the dental clinic’s website was light on detail but stated that steps were being taken to secure its systems and an investigation into the incident had been launched. Official notifications indicate that up to 13,300 individuals had their protected health information exposed in the incident. Sinobi took credit for the attack, claiming to have exfiltrated 250 GB of data. The group has since leaked the stolen information on the dark web.

36. 83,354 individuals were affected by a data security incident involving the Counseling Center of Wayne and Holmes Counties. The incident caused widespread disruption to its IT systems. An investigation was launched, all impacted systems and accounts were removed, and credentials were reset. The forensic investigation determined that an unauthorized party had exfiltrated files including both PII and PHI.

37. Japan Airlines announced that unauthorized access to the reservation system on its Same-Day Luggage Delivery Service may have exposed the personal information of up to 28,000 customers. A third-party accessed the system, causing the services to be rendered temporarily unavailable. The potentially compromised data involved includes personal information, and other travel related details.

38. The Augusta Housing Authority, one of Georgia’s largest public housing agencies, was reportedly targeted in a ransomware attack linked to the Qilin group, who posted the agency on its dark web leak site alongside several other victims. Sample documents posted by the group included personal data from low-income housing applicants and city employees. The incident affected some internal systems and potentially exposed sensitive applicant and employee data, including correspondence documents, utility reimbursement reports and payroll-related files that were shared as proof of access. Local officials took affected systems offline to contain the breach, engaged cybersecurity responders, and worked to restore services, though it remains unclear whether personal information was publicly disclosed or if a ransom demand was made.

39. EyeCare Partners announced an email security incident that was identified in January 2025. An investigation into the incident confirmed that an unauthorized third-party had accessed multiple managed email accounts in late 2024 / early 2025. Data compromised in the incident includes names, contact information, health plan information, and limited clinical information. It has been reported that 17,110 individuals were affected.

40. California-based MedRevenu Inland Physicians Hospitalist Services notified relevant authorities of a cybersecurity incident that took place in 2024. The incident caused network disruption and resulted in the exposure of personal, financial and health information. BianLian claimed responsibility for the attack shortly after it happened and later leaked the stolen information.

41. Dutch telecommunications provider Odido suffered a significant cyberattack that exposed sensitive personal data from its customer contact system, affecting an estimated 6.2 million accounts. Hackers gained unauthorized access over the weekend of February 7–8 and downloaded names, addresses, mobile numbers, email addresses, bank account numbers, dates of birth and government ID details, though passwords, call records and billing information were not compromised. Odido promptly blocked the intrusion, engaged external cybersecurity experts and reported the incident to the Dutch Data Protection Authority while assuring that its core services remained unaffected. Following a ransom demand from the threat actors, parts of the stolen data were later published on the dark web after Odido reportedly refused to pay.

42. Atlas Air, a major U.S. cargo airline, denied that its systems were compromised after Everest ransomware group added the organization to its leak site. Everest claimed to have pilfered 1.2 TB of sensitive technical information, including Boeing aircraft data. Screenshots, that were provided as proof of claims, included aircraft maintenance and repair reports, repair and logistics documentation, and internal operational corporate files.

43. Akira ransomware group added Canadian retailer Ardene to its leak site and alleges to have stolen 58 GB of data. Ardene notified customers of a cyber incident that impacted its internal systems in January, causing shipping delays. Ardene stated that it was not aware that any customer data had been compromised. Akira claims to have stolen financial data, customer and employee information, and other confidential information.

44. Sakata Seed Corporation reported a cyber incident affecting servers at its US consolidated subsidiary, Sakata America Holdings Corporation Inc. The seed producer is working with U.S. law enforcement and an external cybersecurity firm to investigate the point of infiltration and potential data access. There was no significant disruption to normal business operations. Qilin has claimed responsibility for this attack.

45. A cyberattack on Grund Nursing Home System in Iceland led to the exposure of sensitive information relating to tens of thousands of individuals. The attack caused significant disruption, affecting the operations of the entire organization. It was confirmed that stolen information spans over many years.

46. Livingston HealthCare in Montana stated that its phone systems had been restored following a cyberattack. The attack disrupted communications and led the hospital to take some systems offline. An update in mid-February said that some network services remained limited, but that patient care continues. No ransomware group has stepped forward to take credit for this incident.

47. Washington Hotel, a major hospitality brand in Japan, confirmed that it was the victim of a ransomware attack after unauthorized access to several of its internal servers was detected on February 13, 2026. The breach exposed various business data on the compromised systems, prompting IT teams to immediately disconnect the affected servers from the internet and activate an incident response plan involving police and external cybersecurity experts to assess the impact and contain the threat. While customer information, such as loyalty program data stored on separate third-party systems, is currently believed to be unaffected, some hotel locations experienced temporary issues with credit card terminals and ongoing investigations are underway to determine the full scope and any potential data exposure. No ransomware group has publicly claimed responsibility for the attack.

48. The Cheyenne and Arapaho Tribes of Oklahoma stated that a ransomware attack forced them to shut down tribal computer networks. Email and phone services were disrupted and some operations were temporarily suspended as systems were restored. Rhysida took credit for the attack, demanding a $680,000 ransom in exchange for the stolen data. Tribal leaders stated they would not negotiate or pay and have not confirmed whether data was actually stolen.

49. Seagrass Boutique Hospitality Group confirmed that it fell victim to a cyberattack orchestrated by Kairos ransomware. The cybersecurity incident involved unauthorized access to part of the company’s IT network, prompting the isolated of the affected system. An investigation into the incident remains ongoing. Kairos claimed to have exfiltrated 50 GB of data from the organization, giving a seven-day deadline to meet undisclosed demands.

50. Qilin added Mount Barker Co-operative, a West Australian food co-operative, to its leak site, alongside claims that 40 GB of internal data had been exfiltrated. The stolen data allegedly contains 55,361 files, but sample documents or additional information was available on the dark web listing. The Mount Baker Co-operative has not yet publicly addressed Qilin’s claims.

51. The ransomware group BravoX has claimed responsibility for breaching the systems of the Order of Chartered Accountants of Brittany. The group alleges it exfiltrated thousands of files totaling approximately 859GB of data. Describing the information as highly sensitive, BravoX has issued a 12-day deadline before it plans to publish the stolen data.

52. The Aeromedical Society of Australasia (ASA) was allegedly hacked by LockBit. The not-for-profit was added to the group’s leak site, and while no evidence of the hack was shared, LockBit said it would publish the stolen data on February 26. ASA are aware of the claims made by the notorious ransomware group and has made contact with relevant authorities. The organization did state that it does not hold personal information on its platforms.

53. Major French multinational aerospace, defense, and security corporation Safran Group has denied being impacted by a cyberattack. Allegedly stolen information from its systems had inadvertently exposed by a third-party provider. Safran Group had a data set with over a million lines of data stolen and leaked by a threat actor. Stolen data included names, emails, ERP references, and other order details. The firm did not experience operation disruption or adverse security impact from the incident.

54. OpenLoop Health is facing a potential class action over an alleged cyberattack that may have exposed the health data of 1.6 million people. Threat actors claim to have hacked OpenLoop’s computer system and to have accessed a cache of highly sensitive and private information. The lawsuit alleges OpenLoop failed to notify patients of the data breach.

55. Issaqueena Pediatric Dentistry recently reported a hacking incident that involved unauthorized access to PII and PHI. The incident is still being investigated, so the number of affected individuals has yet to be confirmed. The healthcare provider discovered the intrusion in mid-November when ransomware was used to encrypt files. Interlock claimed responsibility for the attack.

56. AltaMed Health Services Corporation recently alerted patients about a cybersecurity incident that took place in mid-December 2025. The incident limited access to some of its computer systems. Third-party cybersecurity experts were engaged to assist with the investigation, which remains ongoing. It has been determined that the compromised systems contained some patient information.

57. German-based athletic apparel and footwear manufacturer Adidas started an investigation into a potential data breach of one of its independent licensing partners following claims made by a cybercriminal group. An individual claiming affiliation with the Lapsus$ Group posted on BreachForums, asserting that the group had compromised Adidas’ extranet. The post claimed that 815,000 rows of data, including personal information and technical data, had been stolen. Company representatives stated that there is no indication that internal IT systems, e-commerce platforms, or consumer data have been affected by the incident.

58. The Shiny Hunters ransomware group has been associated with a breach involving Figure Technology Solutions, claiming that personal and contact information linked to 967,200 accounts was stolen. The intrusion reportedly involved a limited number of files taken from the company’s internal network. The exposed data is said to include more than 900,000 unique email addresses along with additional personal details. After alleging that Figure declined to pay an undisclosed ransom, the group published 2.5TB of data purportedly taken from thousands of loan applicants.

59. Advantest Corporation, a major Japanese semiconductor test equipment manufacturer, disclosed it is responding to a ransomware incident that was detected on February 15, 2026, after unusual activity was identified within its IT environment. The company immediately activated its incident response plan, isolated affected systems and brought in third-party cybersecurity experts to investigate and contain the breach. Preliminary findings suggest an unauthorized third-party may have gained access to parts of Advantest’s network and deployed ransomware, though no specific ransomware group has taken credit and there is no confirmed evidence of data theft at this stage. Advantest has stated that if customer or employee data is found to have been compromised, affected individuals will be notified directly, and it continues to investigate the full scope of the incident while reinforcing security measures.

60. North East Medical Services (NEMS) notified 91,513 patients of an October 2025 data breach following a cyberattack on its third-party software provider, UnitedLayer. The impacted data includes Social Security numbers and medical information. RansomHouse claimed responsibility for the attack, claiming to have encrypted UnitedLayer’s data and providing evidence packs to prove its claims. UnitedLayer has not confirmed the ransomware group’s claim.

61. Finance platform youX confirmed its systems were accessed by an unauthorized third-party during a cybersecurity incident. A hacker has claimed to have stolen information from 444,528 Australian borrowers including addresses, emails, phone numbers, government IDs and credit information. Another 629,597 loan applications, 229,226 driver’s licence numbers and 607,522 residential addresses were allegedly stolen, along with banking records, customer and staff details from 797 broker organizations.

62. ShinyHunters has claimed responsibility for a major breach of CarGurus, the U.S.-based online automotive marketplace, and published a dataset containing personal information tied to more than 1.7 million accounts after an apparent failed extortion attempt. The leaked archive, roughly 6.1 GB in size, is reported to include names, email addresses, phone numbers, physical and IP addresses, user account IDs, finance pre-qualification application data and dealer subscription information. CarGurus has not publicly confirmed the incident, but the breach has been added to Have I Been Pwned’s database.

63. Catalyst RCM, a U.S.-based medical revenue cycle management provider, confirmed that a ransomware-linked data breach first detected in November 2025 has impacted sensitive information it stored on behalf of healthcare clients. Between November 8 and November 9, 2025, an unauthorized actor used compromised credentials to access a secure file management system and copied data without permission. The compromised information may include names, dates of birth, payment card details, protected health information and insurance data for patients of clients such as Vikor Scientific (now Vanta Diagnostics), KorPath and KorGene, with regulatory filings indicating approximately 139,964 individuals were affected. The ransomware group Everest claimed responsibility on a dark web leak site.

64. WIRX Pharmacy has notified 20,104 individuals of a December 2025 cybersecurity incident that may have resulted in unauthorized access to protected health information. Upon discovering suspicious activity, systems were secured and an investigation was launched. A review of exposed files confirmed that personal and protected health information were present in the files on the compromised parts of its network. The affected data varies from individual to individual.

65. In California, Emanuel Medical Center started notifying current and former patients about a May 2025 security incident. Cybersecurity experts confirmed unauthorized access to the healthcare provider’s network in May, and that files containing personal and protected health information were present on affected systems. Data compromised in the incident varies from individual to individual.

66. Choice Hotels International disclosed that on January 14, 2026, a threat actor used a social engineering attack to gain unauthorized access to an internal application containing records related to franchisees and franchise applicants, despite multifactor authentication being in place. Choice detected the activity and shut it down in less than an hour, then determined through investigation that the accessed records included personal information such as names, contact details, Social Security numbers and dates of birth. The breach appears to be limited to franchisees and applicants rather than hotel guests. Regulatory notices have been filed in multiple U.S. states, though an exact total of impacted individuals has not been publicly disclosed. No ransomware group has claimed responsibility for the incident.

67. In Northern Ireland, Grange Dental Care fell victim to a cyberattack that resulted in fraudulent emails being sent from the practice’s system. The issue was identified quickly, and the practice’s IT provider was contacted immediately to prevent further damage. Certain information was accessed during the attack, but it appears that no sensitive data or personal information was compromised. Investigations remain ongoing.

68. The University of Mississippi Medical Center (UMMC) confirmed that it was hit by a ransomware attack that disrupted its IT network, taking down key systems including its Epic electronic medical records platform and forcing it to shut down clinics statewide and cancel elective procedures while recovery efforts continued. Officials worked with federal agencies including the FBI, CISA and DHS to respond to the incident and restore services. Hospital inpatient and emergency services remained operational using downtime procedures, but phone, email and electronic health systems were offline for days as teams assessed the damage, communicated with the attackers and rebuilt secure infrastructure. UMMC has since begun reopening clinics and rescheduling appointments more than a week after the attack, though the full scope of the breach and whether patient data was accessed has not been publicly disclosed.

69. The Grand Hotel in Taipei issued a warning to customers of a possible data breach after discovering unauthorized access to its information systems. Upon discovering the attack, the hotel disconnected affected systems, conducted a security review and notified relevant authorities to investigate the incident. The Gentlemen ransomware group claimed responsibility for the attack.

70. Wynn Resorts, the luxury casino and hotel operator, was targeted by the ShinyHunters cyber extortion group, which claimed to have stolen more than 800,000 employee records including sensitive personal information. ShinyHunters listed Wynn on its data leak site and demanded 22.34 BTC (about $1.5 million) to delete the data and prevent its public release, setting a deadline for the company to engage with its demands. The stolen records are reported to contain details such as names, Social Security numbers, phone numbers and other PII, though Wynn Resorts has stated its guest operations and physical properties were not impacted. ShinyHunters later removed Wynn’s listing from its leak site, which in some cases indicates negotiations or disputed claims.

71. 56,954 patients have been impacted by a cybersecurity incident involving Greater Pittsburgh Orthopedic Associates. Unauthorized third-party access to its IT network was discovered In August 2025, prompting an investigation into the incident. The forensic investigation determined that personal and health information was compromised during the attack. RansomHouse claimed responsibility for the attack.

72. Air Côte d’Ivoire, the flag carrier airline of Côte d’Ivoire, confirmed it was the victim of a cyberattack after parts of its information systems were breached on February 8. The airline activated its business continuity plans to ensure flights and operations continued normally while technical teams and national cybersecurity authorities investigated the incident. INC ransomware gang claimed responsibility, asserting it had stolen around 208 GB of data and set a ransom deadline, though the airline has not confirmed the exact volume or nature of the compromised information.

73. The French Ministry of Finance disclosed a cybersecurity incident that exposed data associated with approximately 1.2 million user accounts after a threat actor accessed the FICOBA database. An internal investigation determined that a hacker used stolen credentials to access the platform, which records all bank accounts opened by French financial institutions. Information including bank account details, account holder identities, physical addresses, and in some cases, taxpayer identification numbers, may have been compromised. At this time, those responsible for this incident have not been publicly identified.

74. In Thailand, the Sasin School of Management has launched an investigation into a recent cybersecurity incident impacting portion of its IT infrastructure. After detecting suspicious activity, the school took immediate steps to secure its systems and remove unauthorized access. The investigation remains ongoing, and at this stage there is no indication that critical data systems were breached. The Gentlemen ransomware group has claimed responsibility for the incident.

75. Qilin claimed responsibility for a cyberattack on the Transport Workers Union (TWU) Local 100, which represents tens of thousands of New York City transit workers and retirees, including subway, bus and ferry staff. Qilin added the union to its dark web leak site, alleging it had stolen 551 GB of sensitive information during the recent attack. While Qilin did not say how much information was taken or what files were involved, TWU Local 100 disclosed on its website its collection and retention of employees’ contact details, salary information, job titles, medical and insurance benefits, and retirement and pension planning information had been impacted.

76. UFP Technologies, a U.S.-based medical device and industrial component manufacturer, disclosed it was the victim of a cyberattack that disrupted parts of its IT environment and prompted the company to take affected systems offline as part of its response. The incident resulted in the encryption of certain data and temporarily impacted business operations while the organization worked with external cybersecurity experts to investigate and restore systems. UFP notified regulators and began reaching out to potentially affected customers, vendors and employees as part of the remediation process. No known ransomware group has claimed responsibility for this attack.

77. INC claimed responsibility for a cyberattack which caused disruption to the City of Cocoa in Florida. The city was forced to navigate a significant number of municipal IT issued that severely impacted local government operations. In response to the system failures, the City Council issued an emergency declaration and expedited the allocated of resources for system restoration and forensic investigation. INC added a number of leak documents to its leak site to substantiate the claims but did not give information on the amount of data allegedly exfiltrated.

78. In mid-February, the Qilin ransomware group listed Western Australia-based electronics retailer Esperance Communications on its dark web leak site, alleging it had stolen 14GB of data comprising more than 16,000 files. However, the group did not publish any screenshots or supporting documents to substantiate its claims.

79. Pathstone Family Office, a U.S.-based financial services firm, confirmed that it suffered a data breach after the ShinyHunters cybercriminal group published sensitive information on its leak site. According to the threat actor, the stolen dataset, consisting of 641,000 records, included financial documents and personally identifiable information tied to clients and employees, and was posted after the company reportedly declined to meet an unspecified ransom demand. While Pathstone acknowledged the incident and has been notifying affected individuals, it is working with cybersecurity specialists to assess the full scope of the exposure.

80. Hong Kong’s popular Ngong Ping 360 cable car attraction disclosed that it was the victim of a ransomware attack which resulted in the theft of personal data from its systems. The breach exposed information belonging to visitors who had purchased tickets online, including names, phone numbers, email addresses and payment card details, prompting the operator to report the incident to the Hong Kong Privacy Commissioner for Personal Data and offer support to those affected. Local authorities and cybersecurity experts were engaged to investigate the incident and strengthen defenses against future attacks.

81. Malaysia’s flag carrier Malaysia Airlines was listed by the Qilin ransomware group on its dark web leak site as a victim of a cyberattack, with the threat actor claiming to have exfiltrated sensitive data and threatening its public release unless negotiations take place. As of now, no proof or samples of stolen information have been published, and Malaysia Airlines has not officially confirmed the scope of the breach or what specific data, if any, was accessed.

82. 2,500 individuals have recently been notified of a ransomware attack on Apex Spine & Neurosurgery, which led to the compromise of their electronic protected health information. During the December attack, threat actors accessed its network and used ransomware to encrypt files. A forensic investigation confirmed that files were also accessed and copied during the incident. PII, PHI and some financial information was involved in the attack. Interlock ransomware group claimed responsibility for the attack, allegedly stealing 20 GB of data. Interlock proceeded to leak the stolen information as the ransom was not paid.

2026 opened with 91 publicly disclosed ransomware attacks. Healthcare was the most targeted sector with 27 incidents, followed by government with 11 and manufacturing with 10. Notably, 49% of the attacks recorded this month have not yet been publicly claimed by a known ransomware group. Among the claimed attacks, Qilin once again led activity with eight incidents, while 19 other groups were also linked to ransomware activity. The USA accounted for 58% of disclosed attacks, with organizations across 22 other countries also impacted, highlighting the truly global reach of ransomware.

Keep reading to find out who made ransomware headlines in January.

1. Kid’s footwear operator Esquire Brands was reportedly targeted by the Play ransomware group, which claims to have stolen sensitive company data. The group listed Esquire Brands on its dark web leak site and threatened to publish the data on January 3, 2026, if no contact was made. According to the post, the alleged data includes client documents, payroll records, financial information, and other confidential materials. Esquire Brands has not publicly acknowledged or commented on these claims.

2. Claims administration firm Sedgwick confirmed a cybersecurity incident at its government-focused subsidiary after the TridentLocker ransomware group publicly claimed responsibility for stealing approximately 3.4 GB of sensitive data. The affiliate, Sedgwick Government Solutions, which provides risk management and claims services to several U.S. federal agencies, was listed on TridentLocker’s dark web leak site on December 31, 2025, with the attackers threatening to expose the stolen information. Sedgwick said it activated incident response protocols, engaged external cybersecurity experts and notified law enforcement, emphasising that the breach was limited to an isolated file transfer system with no evidence of impact on broader systems or its ability to serve clients. 

3. U.S. hot sauce and food products manufacturer Garner Foods, known for brands like Texas Pete, was claimed as a victim by Play, which posted the company on its dark web leak site in early January 2026, warning it would publish allegedly stolen data if contact was not made by January 7. According to the Play dark web post, the alleged data includes confidential information, client records, budget and payroll details, though the extent of the compromise and volume of data taken has not been publicly verified. Garner Foods has not yet issued a public statement confirming or addressing the ransomware group’s claims.

4. New Zealand–based patient portal ManageMyHealth was the target of a significant ransomware attack, during which Kazu reportedly breached the platform, exfiltrating hundreds of thousands of sensitive medical records affecting over 120,000 users. The attackers demanded a ransom, reportedly around $60,000, and threatened to publicly release the stolen data. ManageMyHealth secured its systems, notified authorities and sought a High Court injunction to block dissemination of the files. ManageMyHealth publicly confirmed the cybersecurity incident, acknowledging the breach’s impact on a portion of its user base, and is working with law enforcement and regulators while notifying affected patients, although questions remain about the full scope and response to the compromise.

5. In Canada, Leduc County became aware of a ransomware incident that had taken place on December 25,2025. The attack disabled some of the county’s IT systems, including its email platform and website form submissions. Some other IT systems were proactively disabled during an ongoing forensic investigation. No known ransomware group has claimed the attack.

6. Florida-based engineering firm Pickett and Associates was reportedly the subject of a significant cyberattack in early January, with an unknown threat actor claiming to have stolen approximately 139 GB of sensitive engineering and infrastructure data tied to major U.S. utilities such as Tampa Electric Company, Duke Energy Florida, and American Electric Power. The group is offering the data for sale on a dark web forum for around 6.5 BTC (about $580,000). The alleged haul includes raw LiDAR point cloud files, orthophotos, design files and other operational project data believed to relate to active utility infrastructure work. Pickett and Associates has not publicly confirmed the breach, and investigations into the claim are reportedly underway by affected clients.

7. A recent cyberattack on third-party payment processor Global-e exposed personal data for customers of companies using its services, including hardware wallet maker Ledger. Hackers accessed names and contact information stored in Global-e’s systems for order processing, although neither Ledger’s internal systems nor sensitive wallet security details like recovery phrases or private keys were compromised. Affected customers have been notified. It is not yet known who is responsible for this attack. 

8. More than one year after a ransomware attack, Denton County MHMR Center, reported a major data breach that involved the unauthorized access to PHI of 108,967 current and former patients. Potentially compromised information includes medical history information, treatment information, insurance data and biometric identifiers.

9. U.S. fiber broadband provider Brightspeed is investigating claims by the cybercriminal group Crimson Collective that it accessed and exfiltrated sensitive data for over 1 million customers, including names, contact details, billing information and partial payment card data. The group announced the alleged breach via its Telegram channel in early January with a threat to release or sell the information publicly, posting sample records as purported proof. Brightspeed has not confirmed a breach of its systems or the extent of any data exposure and says it is actively reviewing the situation and keeping customers and authorities informed as its internal investigation continues.

10. Everest claimed that it had exfiltrated approximately 186 GB of sensitive data from global insurtech platform Bolttech, threatening to publish the information if its demands were not met. The group posted alleged proof on its dark web leak site, stating the data includes employee and agent account details, customer contact information, insurance policy records, mortgage-related files and other operational materials. Bolttech has not publicly confirmed or commented on the claims.

11. Australian car rental excess insurer Prosura disclosed a significant data breach and cyber incident after unauthorized access to parts of its internal IT systems was detected on January 3. The threat actor responsible for the incident obtained customer personal and policy information and began contacting customers with fraudulent communications. The compromised data is reported to include names, email addresses, phone numbers, travel and policy details, and, for some claimants, driver’s licence images, with attackers subsequently posting samples of the stolen records on criminal forums and attempting to sell them. Prosura took key online services offline, notified regulators and external cybersecurity experts, advised customers to be cautious of phishing attempts, and said it is investigating and securing its systems, emphasizing there is no evidence that payment card details were accessed.

12. Gulshan Management Services confirmed that it had notified 377,082 people about a September 2025 data breach that compromised personal information. The gas station operator informed victims that a successful phishing attack allowed unauthorized access to its systems. The unknown attackers also encrypted portions of GMS’s network. Compromised information includes names, SSNs, credit and debit card numbers, driver’s license numbers, and contact info. 

13. ASX-listed gold producer Regis Resources confirmed it had experienced a cybersecurity incident after the Lynx group claimed responsibility for an attack and listed a subsidiary, McPhillamys Gold, on its dark web site. Regis stated the activity was detected in November 2025 and that its security controls responded as designed, with a subsequent forensic investigation finding no evidence of data exfiltration and no ransom demand. The company said relevant authorities were notified and confirmed the incident had no material impact on operations or commercial activities.

14. Anubis ransomware group claimed that it had breached the systems of Australian medical clinic Laidley Family Doctors, listing the practice on its dark web leak site and alleging exposure of sensitive information. According to the group, data such as names, gender, Medicare details, and medica history, was compromised during the incident. Data samples were also shared on the dark web as proof of claims. Laidley Family Doctors has not publicly confirmed or commented on the ransomware claims.

15. Lynx claimed responsibility for a cyberattack on St Joseph’s College Echuca, posting the Australian Catholic co-educational school on its dark web leak site and asserting it had encrypted or breached the college’s network and obtained data. According to the group’s listing, the incident was disclosed on January 5, though no proof was provided and the full details of any data compromise remain unclear. St Joseph’s College Echuca has not publicly responded to or confirmed the ransomware claims.

16. Bosch Choice Welfare Benefit Plan disclosed a data breach after unauthorized access to its systems exposed sensitive personal and health information of approximately 55,000 individuals. Compromised information included names, SSNs, DOBs, health insurance details, medical claims data and information related to medical conditions. 

17. Pearlman Aesthetic Surgery reported a breach of protected health information of 11,764 individuals. The specifics of the breach have not yet been disclosed, other than it being a hacking/IT incident.

18. Associated Radiologists of the Finger Lakes announced that it had identified unauthorized access to its computer network in October 2025. An investigation confirmed unauthorized access led to patient data being viewed or copied. The file review is currently ongoing but at this stage it is believed that both PII and PHI were compromised as a result of the incident.

19. Andover Eye Associates in Massachusetts announced that it experienced an email security incident that exposed the data of 1,638. An investigation confirmed that an unauthorized third party had accessed the accounts in May, leading to the exposure of sensitive information. The accounts contained patient names and social security numbers. It is not clear who is responsible for the attack.

20. Legal firm Gorlick, Kravitz & Listhaus announced that a September 2025 data breach had compromised sensitive personal information belonging to its clients. Information impacted varies depending on the individual, but names and SSNs were among the data types stolen. Akira claimed responsibility, allegedly exfiltrating 22 GB of data from the organization. 

21. Qilin claimed responsibility for a cyberattack on Italian water-sports equipment manufacturer Cressi, posting the company on its dark web leak site on January 8, 2026 and threatening to release sensitive data unless contact was made. According to the public listing, Qilin alleges it breached the organization’s systems, though it has not published data samples or detailed what information may have been accessed, and the extent of any exfiltration remains unclear. Cressi has not publicly confirmed or addressed these claims.

22. Details of a November attack on Royal Borough of Kensington and Chelsea Council in London emerged detailing an attack that affected shared IT systems with neighbouring councils, leading to widespread disruption of services and confirmed unauthorized data copying by the attackers. The council acknowledged that some sensitive information was copied and taken from its network, with investigations ongoing to determine the full scope of the breach and whether personal or financial details were involved. Residents were warned to be vigilant against potential scams using the compromised information. The incident prompted notification of the Information Commissioner’s Office, involvement of the National Cyber Security Centre and Metropolitan Police, and communication to more than 100,000 households about possible risks stemming from the breach.

23. The Pell City School System informed parents of a data breach stemming from a ransomware attack in late 2025. The superintendent said the district’s student information system was not impacted, though a third-party vendor experienced a security incident that resulted in data theft. While the district has not provided further details about the information involved, it confirmed in its parent notification that it will not pay the ransom. The Safepay ransomware group claimed responsibility for the attack in December 2025 but did not release additional details about the breach.

24. Hale Makua Health Services, a non-profit healthcare provider based in Maui, Hawaii, reported a ransomware related data breach to the U.S. Department of Health and Human Services after the Qilin ransomware group claimed responsibility. The group alleged it had accessed the organization’s systems and posted sample screenshots on its dark web portal as proof of access. The specific types of information exposed have not been publicly detailed. The HHS breach listing currently reflects a provisional figure of 500 affected individuals, which is expected to be updated following the completion of an internal investigation.

25.  Anubis ransomware group publicly claimed responsibility for a cyberattack against Chilean energy and resources company Copec S.A., alleging it exfiltrated a substantial volume of corporate data, threatening to release the information unless negotiations occurred. According to the group’s posts, roughly 6 TB of sensitive data was taken and included internal documents, communications and employee-related files, though these claims have not been independently verified. Copec acknowledged the incident and said it detected and contained the activity without impacting operations or customer personal data, but details about the scope of the alleged data compromise remain unclear as the situation continues to be investigated.

26. The City of Midway, Florida, confirmed that its police department’s SmartCOP cloud-based records system was compromised in a ransomware incident, disrupting access to police documents and public records and prompting an ongoing investigation by local law enforcement. Officials said the breach may have affected sensitive public records and warned residents to be cautious of suspicious communications that could be tied to the incident, though details about what specific data was impacted have not been disclosed. The situation came to light after community members reported difficulties obtaining records, and authorities are urging vigilance while the investigation continues.

27. A class-action lawsuit alleges that premier Manhattan plastic surgeon Dr Richard Swift’s office was compromised in an apparent malware attack that resulted in the theft and public posting of highly sensitive patient information, including nude images, Social Security numbers, medical and financial records, and other personal data for at least 22 individuals on a Russian-hosted website. According to court filings, some patients only discovered their private images had been published after the hackers contacted them directly, and the suit claims the surgeon’s office failed to notify patients or authorities about the breach as required by law, leaving victims exposed to risks of identity theft, fraud and emotional distress. Plaintiffs allege the practice’s computer systems were inadequately protected, that multiple requests for information were ignored, and that the website remained active for months before it went offline, with the surgeon’s office declining to comment when contacted for a response.

28.  Everest ransomware group claimed responsibility for a major cyberattack on Japanese automaker Nissan Motor Corporation, alleging it exfiltrated approximately 900 GB of internal data from the company’s systems and posting sample screenshots on its dark web leak site to support the claim. According to analysis of the shared samples, the alleged data includes internal documents such as dealership records, program files, and operational folders, and the group has reportedly given Nissan a deadline to respond before publishing the full dataset publicly. Nissan has not publicly confirmed or denied the breach claim.

29. The nonprofit behavioural healthcare organization The Devereux Foundation was reportedly targeted by The Gentlemen ransomware group, which claimed to have breached its systems, posting an extortion notice on a dark web forum, warning that sensitive organizational data could be leaked unless contact was made. According to public breach notifications, the foundation detected suspicious activity and moved quickly to isolate affected systems and engage cybersecurity specialists, and it acknowledged that information related to employees, clients, donors, payors and partners may have been involved, including names, demographic, clinical and financial details. The investigation into the scope of the incident is ongoing. 

30. The University of Hawaii Cancer Center suffered a ransomware attack that compromised servers supporting its research operations, resulting in the encryption of files and unauthorized access to sensitive research data, including documents containing Social Security numbers and other personal information of study participants. The centre said the breach did not affect clinical operations or medical treatment systems, and it engaged external cybersecurity experts to isolate affected systems, obtain decryption tools and work toward securing the destruction of data accessed by the attackers. 

31. Six months after the initial attack, Canopy Health notified some patients of a cyberattack which led to patient details being compromised. A statement from the healthcare provider confirmed that in mid-July unauthorized individuals gained access to part of its systems used by the administration team. While an investigation remains ongoing, Canopy noted that the threat actors may have accessed a small number of bank account numbers. 

32. South Korean conglomerate Kyowon Group, which operates across education, publishing and consumer services, confirmed it was hit by a ransomware attack that disrupted operations and may have exposed customer data, prompting an ongoing investigation with national authorities and external cybersecurity experts. Government investigators estimate that the incident could potentially affect up to 9.6 million user accounts, with abnormal activity detected across a large portion of the company’s servers and signs of a possible data leak under review. Kyowon has stated it is assessing the scope of the breach and has not yet confirmed whether personal data was actually accessed, and it plans to notify users transparently if a leak is verified. 

33. Avosina Healthcare Solutions confirmed that it notified 44,425 people of a July 2025 data breach that compromised names, addresses, medical info, and health insurance info. Qilin took credit for the incident in August, posting sample images as proof of claims on its dark web leak site. These images included an employee payslip, a medical intake form, a business contract, an invoice, and a medical report. 

34. Dublin Medical Center in Georgia recently started notifying individuals affected by an October 2025 cybersecurity incident. Suspicious activity was identified within its computer network, but it has not been confirmed when the unauthorized access started. The review of files confirmed that patient data was compromised in the incident, and that data types varied from individual to individual. The incident has impacted 32,090 patients. 

35. Vida Y Salud-Health Systems reported a data breach involving the unauthorized access to protected health information of 34,504 Texas residents. An investigation into the October attack has concluded and confirmed that names, addresses, dates of birth, SSNS, driver’s license numbers, account numbers and claims numbers had been stolen. 

36. An unknown threat actor posted claims on dark web forums that they had obtained and were offering for sale internal data from U.S. retail giant Target, including an estimated 860 GB of source code, system configuration files and developer documentation tied to critical internal projects such as digital wallet services, networking tools and identity systems. Sample data was briefly made available in public repositories to demonstrate access before those resources were taken offline, and Target reportedly restricted access to its internal development infrastructure in response. The company has not publicly confirmed a breach or addressed the claims directly.

37. Appalachian Community Federal Credit Union notified 30,797 individuals about an October 2025 data breach. The breach compromised names, SSNs, and financial account info. Qilin took credit for the incident and claimed to have stolen 75 GB of data.

38. The Department of Education in Victoria, Australia confirmed that an unauthorized third party gained access to its education network, exposing personal information for current and former government school students across the state’s system. Attackers accessed student names, school-issued email addresses, year levels, school names and encrypted passwords stored in a central database, prompting the department to implement safeguards, temporarily disable affected systems and reset all student passwords as a precaution. The department said there is no evidence the accessed data has been publicly released or shared. Authorities, including the Office of the Victorian Information Commissioner, are now investigating the breach.

39. European travel company Eurail B.V., which operates the Interrail and Eurail pass systems, disclosed a data security breach in which unauthorized access to its customer database resulted in the exposure of sensitive personal and travel information. The compromised information is reported to include names, contact details, home addresses, dates of birth and, for some travellers, particularly participants in the EU’s DiscoverEU programme, passport details, bank account references and health data. The total number of affected individuals has not been disclosed and there is currently no evidence the data has been publicly misused. Eurail said it secured the affected systems, engaged external cybersecurity specialists and notified relevant data protection authorities while continuing its investigation and directly informing impacted customers.

40. Belgian hospital network AZ Monica was hit by a ransomware attack that forced the proactive shutdown of its IT servers, disrupting access to electronic medical records and leading to the cancellation of scheduled procedures and the transfer of critical patients to other hospitals as a precaution. With emergency departments operating at reduced capacity and paper-based processes in place, hospital leadership emphasised that patient safety and continuity of care remained the top priority while authorities and cybersecurity teams investigate the incident. There is no confirmed public disclosure that patient data was exfiltrated, and unverified reports of a ransom demand have not been confirmed by officials.

41. In Texas, Spindletop Center notified victims of a September 2025 ransomware attack which led to personal information being compromised. The attack rendered systems and servers inoperable for a limited time. Rhysida claimed to have stolen personal records belonging to 100,000 people, posting images on its dark web site as proof of claims, and demanding a ransom of 15 BTC (around $1.65 million). 

42. The Land and Agricultural Development Bank of South Africa (Land Bank) experienced a major IT systems disruption that took key services and internal systems offline as the organization investigated a suspected cyber incident affecting its operations. The bank said affected systems were taken offline as a precaution to protect its infrastructure and that internal teams, supported by external specialists, were working to restore full functionality and assess the cause of the outage. It is not yet clear if any information has been stolen during the incident. 

43. Ju Teng International Holdings Limited disclosed a data security incident after discovering a post on a dark web forum offering access to sensitive information reportedly obtained through a cyberattack targeting certain company laptops. Compromised data is said to include client names, project details, customer and supplier contact lists, and product information, and the company has launched an investigation and engaged cybersecurity specialists to assess the full scope and strengthen its security posture. INC was responsible for the attack, claiming to have stolen 200 GB of data. 

44. The Irish agri-trading company J Grennan & Sons was listed as a victim by the Akira ransomware group, with the threat actors claiming on a dark web leak site that it had targeted the business, threatening to publish sensitive financial and personal information, including invoices and employee and customer records. J Grennan & Sons confirmed it was the victim of a cyberattack that significantly disrupted operations and engaged external cybersecurity experts, and said it is “reasonably confident” that data held on its systems had not been accessed.

45. Spanish energy provider Endesa, one of the country’s largest electricity and gas companies, confirmed that it detected unauthorized access to its commercial platform, resulting in the exposure of customer personal and contract-related information and triggering an ongoing cybersecurity investigation. A threat actor on dark web forums claimed to have obtained a large database, allegedly over 1 TB of data tied to more than 20 million individuals, including names, contact details, national identity numbers, energy contract information and, in some cases, bank IBANs. 

46. Genesis claimed responsibility for a December 2025 ransomware attack on Upper Township, New Jersey. Genesis claimed to have stolen 100 GB of data from official servers, threatening to publish it if an undisclosed ransom was not paid. The data is said to include financial and personal information. Township officials claim that an investigation into the incident is ongoing, but that they are aware of the data posted on the dark web. 

47. U.S. food delivery platform Grubhub confirmed that hackers gained unauthorized access to certain internal systems and stole company data, prompting an ongoing investigation and involvement of law enforcement and external cybersecurity specialists. The company said that while financial information and order histories were not affected, attackers did extract data from some systems.  Sources have indicated the ShinyHunters group is attempting to extort Grubhub by threatening to leak Salesforce and Zendesk-related information unless they are paid a ransom. Grubhub responded by stopping the activity, strengthening its security posture and working to contain the incident, but has not disclosed the full extent or specific nature of the compromised data.

48. The Port System Authority of the Central Adriatic Sea (Ancona) was hit by a cyberattack that resulted in data theft and publication on the dark web. The Anubis ransomware group exfiltrated approximately 56,000 files across 8,000+ folders, including internal administrative documents and employee-related data (potentially HR and sensitive records). The Authority stated the stolen material represented roughly 2% of its overall data, and the incident occurred during a broader IT migration to Italy’s national strategic infrastructure.

49. Qilin ransomware group publicly claimed responsibility for a cyberattack on Moen, the U.S.-based manufacturer of faucets and plumbing fixtures, posting the company on its dark web leak site and warning that sensitive data would be released unless contact was made. Qilin has not disclosed how much data it may have exfiltrated nor released any sample files alongside its listing. Moen has not publicly addressed the claims. 

50. NightSpire ransomware group claimed it breached systems at the Hyatt Place Chelsea New York hotel, alleging it exfiltrated roughly 48.5 GB of sensitive data and posting samples on a dark web leak site to support its claim. Stolen files reportedly include internal documents such as invoices, expense reports with employee names and contact information, signatures, partner company data and potentially employee login credentials. 

51. Chinese electronics manufacturer Luxshare, a key assembler for major tech companies including Apple, Nvidia and Tesla, was reportedly the target of a ransomware attack orchestrated by RansomHouse. The ransomware group claimed to have infiltrated its systems, stealing more than 1 TB of confidential data, including engineering files such as 3D CAD models, circuit board designs, internal product documentation and employee personal information. According to threat actor posts on dark web leak sites, the stolen data spans projects tied to multiple high-profile clients and could enable reverse-engineering, production of counterfeit products or targeted attacks. Neither Luxshare nor affected partners have publicly confirmed the breach or commented on the claims.

52. TotalEnergies is investigating claims of a large-scale data breach after a hacking group began posting samples of what it says is a database of nearly 184 million customer records on social media and cybercrime forums. The attackers assert the exposed information includes email addresses, client IDs, bank account numbers, home addresses, phone numbers and other personal details tied to customers of the French energy giant’s services. TotalEnergies has not confirmed a breach or validated the data, and the full scope and authenticity of the alleged incident remain under review.

53. A serious cyberattack caused an extended closure at Higham Lane School in the UK and, while the school has since reopened, staff continued to face significant limitations in accessing IT systems. The incident disabled core digital infrastructure, preventing the school from operating essential safety and administrative systems. It was also confirmed that data was removed during the attack, although the school has not disclosed what types of information may have been impacted.

54. Imperial Beach Community Clinic recently disclosed a cybersecurity incident and data breach that was identified almost one year ago. Unusual activity was detected within the healthcare provider’s email environment in mid-April 2025. An investigation determined that an unauthorized individual had access to certain email accounts, and certain information had been acquired. Compromised data includes both PII and PHI of an undisclosed number of individuals. 

55. In Wisconsin, Valley Eye Associates announced that it fell victim to a ransomware attack in early October 2025. An investigation determined that a ransomware group had access to its network for a one-day period, during which time files were exfiltrated from its network. Qilin claimed responsibility for the attack and published the stolen data which they claimed to be 139 GB. 

56. The Canadian Investment Regulatory Organization (CIRO), Canada’s national self-regulatory body for investment dealers and market activity, confirmed that a sophisticated phishing attack led to a significant data breach affecting approximately 750,000 Canadian investors, with threat actors accessing and copying sensitive personal and financial information. Stolen data includes dates of birth, phone numbers, annual income, social insurance and government-issued ID numbers, investment account numbers and account statements. CIRO said it contained the incident, engaged external forensic experts, found no evidence the stolen data has been misused or appeared on the dark web.

57. The Ayuntamiento de Beniel (Beniel Town Hall) in Spain experienced a serious cybersecurity incident that temporarily knocked its municipal IT systems offline, disrupting regular administrative operations and forcing staff to work manually while services were restored. Local officials activated security protocols and are working with regional and national cyber authorities to investigate the extent and impact of the breach, though details about any specific data compromise have not been disclosed. The Gentlemen ransomware group claimed responsibility and threatened to publish sensitive information unless contact was made.

58.  Everest claimed responsibility for a cyberattack on ASRock Rack, a major server and datacenter hardware manufacturer, alleging it exfiltrated approximately 509 GB of sensitive data including technical documentation, firmware, software, BIOS files, diagnostic tools and baseboard management controller (BMC) firmware. The listing on Everest’s dark web leak site also included screenshots posted as proof of claims. ASRock Rack has not issued a public confirmation or detailed response to the claims.

59. Reproductive Medicine Associates of Michigan (RMAM) informed patients of a recent cyberattack in which unauthorized threat actors accessed its network and stole sensitive data. The organization identified suspicious activity and took immediate steps to secure its IT environment. The specific types of information affected have not yet been confirmed, and the investigation into the scope of the incident is ongoing.

60. Indian music streaming platform Raaga confirmed a major data breach in which unauthorized access to its systems resulted in the exposure of personal information for approximately 10.2 million users, with the stolen dataset subsequently offered for sale on underground cybercrime forums. The compromised information reportedly includes email addresses, names, gender and age details, geographic location data and passwords hashed using unsalted MD5. Raaga has not released detailed disclosures about how the breach occurred or what specific systems were affected.

61. The Minnesota Department of Human Services started notifying nearly 304,000 individuals after unauthorized access was identified within its MnCHOICES system. An investigation determined that for most of the individuals affected, stolen information was limited to demographic data.  For 1,206 individuals, additional information was accessed, including some medical details. No known threat actors have stepped forward to claim responsibility for the incident. 

62. Genesis added Advanced Family Surgery Center (AFSC) to its dark web leak site, claiming to have exfiltrated 100 GB of data. Compromised data allegedly includes healthcare data, financial data, operational data and personal information. A file tree was also added to the dark web post, listing files in the exfiltrated data. According to the threat actors, AFSC was made aware of the incident in late November, with a spokesperson even showing up to negotiate at one point. AFSC has not publicly addressed these claims. 

63. Dermatology Associates in Kentucky announced that an August 2025 security incident may have resulted in unauthorized access to patient data. An investigation into the incident confirmed that the unauthorized access over a two-month period resulted in the exposure of confidential information. It is not known who is responsible for the attack. 

64. Everest ransomware group claimed responsibility for a major breach targeting McDonald’s India, alleging the exfiltration of approximately 861 GB of sensitive data, including internal company documents and personal customer information such as contact details and business records. The attackers published samples on a dark web leak site and set a deadline for a response before threatening wider data release. McDonald’s India has not yet publicly confirmed the incident.

65. Technology company Paylogix announced it had experienced a data breach in which sensitive personal information may have been compromised. The organization experienced network disruption involving certain computer systems. Akira claimed responsibility for the attack, allegedly exfiltrating 185 GB of data. 

66. French authorities launched a preliminary investigation after a cyberattack on Waltio, a cryptocurrency tax reporting platform used by thousands of investors. Hackers believed to be the group Shiny Hunters accessed and attempted to extort data tied to approximately 50,000 users, including email addresses and summary information from 2024 tax reports such as crypto holdings and balances, although Waltio says sensitive credentials and funds were not compromised.

67. Dresden State Art Collections suffered a targeted cyberattack that disrupted large parts of its digital infrastructure, severely limiting online services like ticketing, visitor support and the museum shop. While physical security systems and museum operations remained intact, digital and telephone systems were largely offline as IT and forensic teams worked to restore services, and investigations continue in coordination with police and state authorities. Details on data theft or specific exfiltrated information have not been disclosed, and the identity of the attackers remains unknown.

68. Rogers Capital Credit, a financial services firm in Mauritius, suffered a data breach during which customer information was obtained and published on the dark web. The exposed records, primarily dating up to December 2022, include highly sensitive personal data such as copies of passports and national ID cards, proof of address, income documentation, and for some clients, banking, credit and civil status information. The Bank of Mauritius has warned the public to exercise vigilance, monitor financial accounts closely, and be alert for potential fraud and phishing attempts as the full scope of the incident continues to be assessed. The Gentlemen ransomware group claimed responsibility for this attack.

69. Nike is investigating a potential data breach after the cybercrime group WorldLeaks publicly claimed to have stolen and leaked approximately 1.4 TB of internal data from the company, including more than 188,000 files related to product design, manufacturing, supply chain and operational information. While Nike has confirmed it is assessing the situation, emphasizing its commitment to data security, it has not yet verified the full scope or confirmed whether customer or employee personal data was exposed.

70. The New York-based Civil Service Employees Association confirmed that a data security incident it experienced last year compromised the sensitive personal information of 47,352 individuals. Upon discovering the unauthorized activity, CSEA took immediate action to secure the network, while notifying relevant law enforcement authorities. The compromised data includes names and other personal identifiers such as SSNs. No known hacker group has claimed responsibility for the attack. 

71. Columbia Medical Practice confirmed that patient information was compromised during a ransomware attack in November 2025, exposing the sensitive personal and medical data of up to 3,000 individuals. Threat actors exfiltrated data before deploying malware that encrypted files on certain systems. Columbia Medical Practice stated that its electronic medical record system was not accessed during the incident. Qilin took credit for the attack. 

72. MACT Health Board notified individuals affected by a November 2025 security incident which caused disruption to its IT systems. An investigation confirmed that an unauthorized third party had accessed its computer network and exfiltrated sensitive patient information. Rhysida claimed responsibility for the attack and uploaded samples of identity documents to its leak site as proof of claims, demanding a ransom of 8BTC ($622,000). 

73. TriCity Family Services started notifying 2,511 patients about a data security incident which took place in Spring 2025. An investigation revealed that an unauthorized threat actor had access to its computer systems for around 6 months, during which time sensitive data was exfiltrated. INC took credit for the attack, claiming to have exfiltrated 22 GB of data from the healthcare provider. 

74. Enviro-Hub Holdings Ltd. disclosed that it was the victim of a ransomware attack, during which an unauthorized party gained access to its group servers. The company implemented containment and remediation measures and engaged external experts to investigate the incident, which has not yet been determined to have materially impacted operations, and is still assessing the scope of any data accessed or exfiltrated. Enviro-Hub has also reported the incident to Singapore’s Personal Data Protection Commission as part of its ongoing response.

75. Laurel Health Centers confirmed that an unauthorized third party accessed portions of its email environment in July 2025, potentially exposing sensitive patient information. An examination of affected email accounts found that data, including both PII and PHI, were viewed. The data involved varies by individual.  At this time, no ransomware group has claimed responsibility for the attack. 

76. Rhysida took credit for a November 2025 ransomware attack on Cytek Biosciences in California. The organization sent data breach notices to 331 people in November, alerting them to the fact that personal information was exposed during the incident. Rhysida added Cytek to its leak site, with a number of images posted as proof of claims. The dark web post now states that all of the data taken during this attack has been sold. 

77. Apparel company FullBeauty Brands confirmed that it notified at least 1,191 people of an October 2025 data breach that compromised names and SSNs. Everest took responsibility for the incident in mid-November and intentionally leaked all of the supposedly stolen data on its dark web site after FullBeauty failed to respond to the ransom deadline. 

78. Clop ransomware group claimed responsibility for a cyberattack targeting Hilton Hotels, posting the hospitality giant on its dark web leak site. Clop has not backed up the claim with evidence such as data samples and has not disclosed how much data was allegedly exfiltrated. Hilton has stated it has no evidence that its systems or data were compromised. The situation remains under investigation, and Hilton continues to assess any potential impact.

79. Nova ransomware group has claimed responsibility for a cyberattack on KPMG Netherlands, listing the firm on its dark web leak site and threatening to publish up to 500 GB of allegedly stolen data if ransom demands are not met. The group reportedly posted the claim on 23 January 2026, stating it had exfiltrated sensitive information and issuing a 10-day ultimatum for negotiations. KPMG has denied that its systems were compromised and says it is monitoring the situation, meaning the scope and authenticity of the alleged breach remains unverified while investigations continue.

80. It was revealed that individuals who received services from Mitchell County Department of Social Services have had their sensitive information stolen in an October ransomware attack. The attack encrypted files and caused email and phone outages for a number of days. A forensic investigation revealed that there had been unauthorized network access for four days in October, during which time files were exfiltrated. The data review and investigation remain ongoing to determine the types of information involved and the individuals affected.

81. Sanxenxo City Council in Spain has been hit by a cyberattack that encrypted data and compromised thousands of administrative documents, disrupting municipal operations. The attackers reportedly demanded a ransom of $5,000 in Bitcoin in exchange for releasing the encrypted files, but the city has indicated it plans to recover without paying.

82. Crunchbase has confirmed a data breach after the ShinyHunters hacking group leaked millions of records online. The exposed information included usernames, email addresses, hashed passwords and API keys, and was first posted on cybercrime forums before being shared more widely. Crunchbase says it has reset compromised credentials, notified affected users, and implemented additional security measures.

83. Russian security systems provider Delta, which manages alarm and vehicle security services, was hit by a large-scale cyberattack that caused widespread service outages across its home, business and car alarm platforms. Delta acknowledged the incident as a “large-scale, coordinated and well-organized” external attack and said its technical teams are working to restore systems after phone lines and its website went offline. Customers reported being unable to deactivate alarms or unlock vehicles, and some experienced vehicle systems malfunctioning due to the disruption. While Delta maintains no customer personal data has been confirmed leaked, an anonymous Telegram channel claiming to be linked to the attackers published an alleged stolen data archive. 

84. 360 Dental in Philadelphia reported a data breach that affected 11,273 individuals. A ransomware attack in November led to the encryption of files and the exposure of sensitive patient data. The types of data involved varies from individual to individual and includes names in combination with other PII and PHI. 

85. Langley Twigg Law, a New Zealand law firm, is investigating a cyberattack attributed to Anubis after the hackers posted employee and client passport scans and other sensitive documents on an underground forum. The breach involved unauthorized access to its systems and theft of personal identity information, prompting the firm to engage forensic experts, notify authorities and affected individuals, and take systems offline while it works to contain the impact.

86. Auckland-based Brinks Poultry Ltd has allegedly been hacked by the Clop ransomware group, with the threat actors claiming to have stolen internal company data and listing the business on Cl0p’s dark web leak site. The incident reportedly involved unauthorized access and exfiltration of internal documents, and attackers are using extortion tactics to pressure the company into contacting them. Brinks Poultry is currently assessing the scope of the breach, engaging cybersecurity experts, and working to contain and remediate the incident.

87. Winona County, Minnesota, experienced a ransomware attack that disrupted several county systems, forcing the IT department to take multiple networks offline to contain the incident. The breach affected services including tax and motor vehicle systems, and the county confirmed it was working with law enforcement and cybersecurity partners to investigate the attack and restore operations. Officials have not disclosed whether any data was exfiltrated or if a ransom demand was made, but precautionary steps and extended service delays reflect the significant operational impact on local government systems.

88. The Vladimir Bread Factory, one of the largest bakery producers in its region of Russia, recently suffered a cyberattack that knocked out its internal digital systems, including office computers, servers and electronic document management tools. The disruption didn’t stop production itself, but it complicated order processing and deliveries, leading to temporary supply challenges for retailers and customers as the company reverted to manual processing while it works to restore systems.

99. The City of New Britain, Connecticut, was hit by a ransomware attack that disrupted internet, phone, and internal systems for more than 48 hours, forcing city officials to activate incident response protocols and work with state and federal authorities, including the FBI, to assess the impact and restore operations. Despite the disruption, emergency services and essential functions continued, and additional cybersecurity resources were brought in to investigate the incident, although it remains unclear if resident data was compromised.

90. The Tulsa International Airport in Oklahoma was reportedly hit by a Qilin ransomware attack, with the cybercriminal group posting leaked internal documents, including financial records, internal emails, and employee ID information, on its dark web leak site. It is not yet clear whether airport operations or customer data were directly affected.

91. In Slovenia, gas supplier Geoplin was hit by a ransomware attack orchestrated by Sinobi. The ransomware group demanded $8.2 million in exchange for an undisclosed amount of stolen data. The company and its owner confirmed that they had detected a cybersecurity incident and are taking the necessary measures in response. It is not clear what types of data were exfiltrated during the attack.