February recorded 82 publicly disclosed ransomware incidents, with healthcare emerging as the most targeted sector, accounting for 31% of reported attacks. Organizations across 20 countries disclosed incidents during the month, with the United States the most affected with 51 incidents. A total of 24 ransomware groups were linked to publicly claimed attacks, led by Shiny Hunters with eight incidents, followed by Qilin with six. Notably, 41% of attacks were not yet attributed to any known ransomware group.

Find out who made ransomware headlines in February.

1. Nova Biomedical recently eported a data security incident it experienced last year compromised the sensitive personal information of 10,764 individuals. Unauthorized access to internal networks was discovered on December 18, 2025, prompting an investigation to be immediately launched to determine the nature and scope of the incident. The compromised data included names and other personal identifiers including SSNs.

2. According to a notice on its company website, Hosokawa Micron Corporation suffered from a cyber incident in early February. The incident did not impact business operations, but the organization did confirm that electronic files were accessed by threat actors. Everest claimed responsibility for the attack, allegedly stealing 30GB of data. The group’s dark web post also included a number of screenshots of stolen documents, posted as proof of claims.

3. Everest ransomware group claimed to have breached Iron Mountain, a major global data management and storage firm, alleging the theft of around 1.4 TB of internal and client-related information and threatening to publish it if their demands weren’t met. While screenshots of allegedly compromised directories were posted on the group’s dark web leak site, Iron Mountain has stated that the incident was limited to a single folder of marketing materials accessed via a compromised credential and that no ransomware was deployed on its core systems.

4. It was announced that Onze-Lieve-Vrouw Instituut (OLV) Pulhof, a secondary school in Berchem, Belgium, suffered a ransomware attack shortly after the Christmas break. The attack disrupted its internal systems and prompted threats to leak or sell sensitive data relating to students and staff unless a ransom was paid. BitLock, who were reported to be responsible for the incident, initially demanded around €100,000, later lowering it to about €15,000, but the school declined to engage or pay, following guidance from authorities. In a troubling escalation, the threat actors then contacted parents directly, demanding €50 per child and threatening to expose personal information if payments were not made. Belgian prosecutors confirmed an ongoing investigation, and the school has advised parents not to comply with payment requests as it works to secure its systems and assess the impact.

5. INC ransomware group has claimed responsibility for a cyberattack on UK-based management software provider Distinctive Systems. The group added the company to its data leak site, publishing what it says are internal documents and contracts as evidence of the breach. Distinctive Systems confirmed it is investigating a cybersecurity incident that occurred in January and stated that all appropriate notifications have been made at this stage of the investigation.

6. Neurological Associates of Washington confirmed it notified 13,500 state residents of a December 2025 cyberattack which led to a data breach. Data compromised includes names, SSNs, diagnoses, medical information, and other types of personal information. The clinic confirmed that its facilities server that stored medical records was attacked and encrypted. DragonForce took credit for the attack, claiming to have stolen 1.4 TB of data from the clinic. Sample images of allegedly stolen documents were added to DragonForce’s dark web post.

7. Everest ransomware group claimed it had breached internal systems associated with Poly, the enterprise communications business now part of HP Inc., alleging the theft of around 90 GB of internal data and posting screenshots on its leak site as supposed proof. The materials shared appear to show engineering files, code listings and documentation tied to legacy Polycom systems, the brand HP acquired in 2022, rather than current production environments, and there is no independent confirmation that HP’s current networks or customer data were compromised. HP has acknowledged the allegations and said it is investigating, but so far has found no evidence of an active breach or impact to its customer systems.

8. Match Group, the operator of popular dating services including Match.com, Hinge, OkCupid, and Tinder, confirmed it experienced a cybersecurity incident after the threat actor group ShinyHunters claimed to have obtained and posted millions of records and internal files linked to its platforms. Match Group said the unauthorized access was quickly terminated and that it is investigating the matter with external experts, stressing that there is no evidence attackers accessed user login credentials, financial data, or private messages, though a limited amount of user-related information and internal documents were exposed and affected individuals are being notified as appropriate.

9. ShinyHunters claimed it had breached Bumble Inc., alleging the theft of roughly 30 GB of internal data from cloud services such as Google Drive and Slack and posting it on its leak site. Bumble confirmed that a contractor’s account was compromised in a phishing attack, which allowed brief unauthorized access to a limited portion of its systems, but said the incident was quickly contained. The company emphasized that no member database, user accounts, private messages or dating profiles were accessed, and it has engaged external cybersecurity experts and law enforcement to investigate the situation.

10. German insurer HanseMerkur, headquartered in Hamburg, has been listed on DragonForce’s dark web leak site following claims of a ransomware attack in early 2026, with threat actors alleging they exfiltrated nearly 97GB of internal data, including financial documents such as invoices, tax records, and vouchers, as well as possible files linked to partner Emirates Insurance. HanseMerkur has not publicly confirmed the incident or disclosed any operational impact.

11. Maryland-based Lakeside Title Co. is the target of a proposed class action lawsuit following an alleged ransomware attack. The suit claims inadequate data security exposed personally identifiable information of thousands of customers and employees. Play ransomware group claimed responsibility for the attack but did not provide detailed information relating to type of amount of data stolen during the incident.

12. Central Ozarks Medical Center notified 11,818 individuals that some of their personal and protected health information was compromised during a November 2025 cyberattack. The types of information compromised includes names, SSNS, financial account information, medical treatment information, and health insurance information. No further information relating to this attack has been made public.

13. Philippine tech firm Lenotech Corporation was allegedly targeted in a ransomware attack when the Tengu ransomware group listed the company on a dark web leak site, claiming to have exfiltrated around 136 GB of internal data and threatening to publish it if negotiations did not begin. The samples posted reportedly include internal directories and service-related files, but Lenotech has not publicly confirmed the incident.

14. In Denver, Clinic Service Corporation confirmed that it had experienced a hacking incident which led to the exposure of sensitive information. A forensic investigation confirmed that its network had been accessed for a seven-day period in August 2025. Both PII and PHI was compromised during the incident. 82,331 individuals were impacted.

15. Insightin Health announced that it experienced a cyberattack in September 2025 that led to the unauthorized access of patient data. A data review revealed that exposed files included protected health information associated with its clients. Medusa claimed responsibility for the attack and threatened to publish the stolen data. The group claims to have exfiltrated 378 GB of data from the organization.

16. Shiny Hunters claimed responsibility for a November cyberattack on the University of Pennsylvania in Philadelphia. The ransomware group published datasets that it claims contain more than one million records belonging to the university. The university did not specify the exact categories of data involved, stating only that systems related to alumni relations and fundraising had been accessed. During the incident, attackers sent emails to alumni from official university email accounts announcing the intrusion.

17. Shiny Hunters also published datasets of more than one million files allegedly belonging to Harvard University. The university confirmed that it had suffered a cyberattack in November which compromised its alumni systems. Attackers used phone calls to trick individuals into clicking malicious links or opening harmful attachments. Harvard confirmed that exposed information included contact information, donation details and other biographical data connected to alumni engagement and fundraising activities.

18. Customers of newsletter platform Substack were warned that email addresses, phone numbers and other metadata were leaked in a recently discovered data breach. The platform stated that it discovered a problem within its systems in early February that allowed an unauthorized third-party to access limited user data. Credit card numbers, passwords and other financial data were not leaked. The statement made by the company followed an unknown hacker claiming to have stolen personal information of about 700,000 users.

19. Beacon Mutual Insurance Company confirmed it was the victim of a cyberattack in January. A notice was posted on the organization’s website following requests for comments prompted by Beacon’s appearance on ransomware tracking websites. It was confirmed that the company’s production environment was not involved in the incident, but that the company’s network was disconnected as a preventative measure. INC took responsibility for the attack, claiming to have pilfered 275 GB of highly sensitive internal data from Beacon, adding screenshots to its leak site as proof of claims.

20. Romania’s national oil pipeline operator Conpet confirmed it was hit by a cyberattack that disrupted its corporate IT systems and took its public website offline while its core pipeline operations continued unaffected. The company said it is investigating the incident with national cybersecurity authorities and has filed a criminal complaint with the Directorate for Investigating Organized Crime and Terrorism (DIICOT). Although Conpet has not disclosed technical details of the breach, the Qilin ransomware group has claimed responsibility, listing the operator on its dark web leak site and alleging the theft of nearly 1 TB of internal documents, including financial records and passport scans.

21. Lynx took credit for a cyberattack on Lakelands Public Health in Ontario, Canada. The incident caused some programs and services to experience temporary outages. LPH was unable to give details about the attack due to the ongoing nature of the investigation. Lynx claims to have stolen confidential information, posting sample images of alleged stolen documents on its leak site.

22. Sapienza University of Rome, one of Europe’s largest universities with around 120,000 students, suffered a major cyberattack that forced its IT infrastructure offline for several days, disrupting access to key services such as exam booking, email and administrative systems. University officials shut down network systems as a precaution while a technical task force, supported by Italy’s National Cybersecurity Agency and law enforcement, worked to restore services from unaffected backups. It is not clear who is responsible for this attack, but reports stated that a link was sent to the university demanding a ransom and giving a 72-hour deadline to pay.

23. In Australia, Epworth HealthCare was allegedly breached by 0APT ransomware group, who is claiming to have stolen 920 GB of data from the healthcare providers. The hackers leak post states that the stolen data includes surgical records, patient names, and billing details. The ransomware group stated that it was actively negotiating with Epworth but that the involvement of any external parties would result in an immediate sample leak to local media. However, Epworth has said that it has found no evidence of a breach.

24. The Jefferson Blout St. Claire Mental Health Authority in Alabama notified 30,434 people of a November 2025 data breach. It is believed that the stolen data, which includes both PII and PHI, was collected by JBS Mental Health between 2011 and 2025. Medusa took credit for the breach and demanded a $200,000 ransom to destroy 168.6 GB of stolen data. To prove its claim, Medusa posted sample images of what it says are documents from JBS’s servers.

25. DOCS Dermatology Group disclosed a security incident that was identified in late-November 2025. An investigation determined that an unauthorized third-party had access to its networks over a seven-day period, during which data was compromised. Although the data review remains ongoing, DOCS has determined that compromised data includes PII, PHI and billing information. It is not known who is responsible for this attack or how many people have been impacted.

26. A total of 3,722 clients of the Center of Neuropsychology and Learning in Michigan were affected by a data breach following unauthorized access to one of the organization’s servers. The intrusion was discovered in November 2025, and a subsequent forensic investigation found that the server had been accessed in late October. The compromised system stored protected health information, though it did not contain highly sensitive data.

27. BridgePay Network Solutions, a major U.S. payment gateway provider, confirmed it was hit by a ransomware attack that knocked its systems offline and triggered a widespread outage affecting merchants, municipalities and other organizations that rely on its infrastructure for processing card payments. The incident, first detected on February 6, disrupted core services including APIs, virtual terminals and hosted payment pages, forcing some businesses to resort to cash-only transactions while services were unavailable. BridgePay engaged federal authorities along with external forensic and recovery teams, and said initial investigations show no payment card data was compromised despite files being encrypted. Restoration efforts are ongoing with no clear timeline for full recovery as the company works to securely bring systems back online.

28. CoinbaseCartel added Dolby Laboratories, a major US tech corporation, to its dark web blog. The ransomware group did not provide any data samples or information relating to the breach. Dolby has not commented on the alleged breach.

29. WindRose Health Network informed certain patients of a security incident discovered in August 2025 involving unauthorized access to parts of its network. The affected systems contained both personal information and protected health information. While the specific data involved differs by individual, the organization believes that approximately 691 individuals were impacted by the breach.

30. In New Hampshire, Cottage Hospital detected unauthorized access to its computer network. A forensic investigation determined that hackers had access to a single file server in October 2025. The hospital confirmed that files had been exfiltrated in the incident. The impacted server contained current and former employees’ names, SSNs, driver’s license numbers, and potentially bank account information. 2,156 individuals were affected by the incident.

31. IT management software company SmarterTools fell victim to a ransomware attack through an unpatched instance of its SmarterMail email server. The attack impacted the company’s office network and data center hosting quality control testing systems, SmarterTool’s portal, and its Hosted SmarterTrack network. Hackers compromised the mail server and moved laterally to the Windows servers on the data center, compromising 12 of them. Reports suggest that Warlock ransomware group was responsible for the attack.

32. 1,800 individuals were affected by a data breach at Pit River Health Service in California. An unauthorized third-party hacked its systems and copied data. The healthcare provider confirmed that no data was altered or deleted in the attack. As a result of the incident, some patient services were delayed. It is not known who is responsible for the attack.

33. Brush manufacturer Trisa was targeted by Lynx ransomware group, who claimed to have exfiltrated over 1 TB of information. Trisa confirmed the incident, stating that the attacker had managed to infiltrate “clearly defined and strictly limited” areas of its IT systems for a short time. According to the company, less than one percent of the company’s data was copied. The company filed a criminal complaint following the incident.

34. Following a ransomware attack on Senegal’s Directorate of File Automation, the government department suspended operations and shut down services tied to national ID cards, immigration, and other biometric data. A senior police official stated that authorities were working to restore affected systems and that the integrity of citizen’s personal information remains intact. Green Blood Group claimed to have breach the agency and exfiltrated 139 GB of data. The group claims that stolen materials include database records, biometric information, and immigration documents. Sample files were released to support the claim.

35. Pecan Tree Dental confirmed that it experienced a cybersecurity incident involving unauthorized access to its computer systems. A notice on the dental clinic’s website was light on detail but stated that steps were being taken to secure its systems and an investigation into the incident had been launched. Official notifications indicate that up to 13,300 individuals had their protected health information exposed in the incident. Sinobi took credit for the attack, claiming to have exfiltrated 250 GB of data. The group has since leaked the stolen information on the dark web.

36. 83,354 individuals were affected by a data security incident involving the Counseling Center of Wayne and Holmes Counties. The incident caused widespread disruption to its IT systems. An investigation was launched, all impacted systems and accounts were removed, and credentials were reset. The forensic investigation determined that an unauthorized party had exfiltrated files including both PII and PHI.

37. Japan Airlines announced that unauthorized access to the reservation system on its Same-Day Luggage Delivery Service may have exposed the personal information of up to 28,000 customers. A third-party accessed the system, causing the services to be rendered temporarily unavailable. The potentially compromised data involved includes personal information, and other travel related details.

38. The Augusta Housing Authority, one of Georgia’s largest public housing agencies, was reportedly targeted in a ransomware attack linked to the Qilin group, who posted the agency on its dark web leak site alongside several other victims. Sample documents posted by the group included personal data from low-income housing applicants and city employees. The incident affected some internal systems and potentially exposed sensitive applicant and employee data, including correspondence documents, utility reimbursement reports and payroll-related files that were shared as proof of access. Local officials took affected systems offline to contain the breach, engaged cybersecurity responders, and worked to restore services, though it remains unclear whether personal information was publicly disclosed or if a ransom demand was made.

39. EyeCare Partners announced an email security incident that was identified in January 2025. An investigation into the incident confirmed that an unauthorized third-party had accessed multiple managed email accounts in late 2024 / early 2025. Data compromised in the incident includes names, contact information, health plan information, and limited clinical information. It has been reported that 17,110 individuals were affected.

40. California-based MedRevenu Inland Physicians Hospitalist Services notified relevant authorities of a cybersecurity incident that took place in 2024. The incident caused network disruption and resulted in the exposure of personal, financial and health information. BianLian claimed responsibility for the attack shortly after it happened and later leaked the stolen information.

41. Dutch telecommunications provider Odido suffered a significant cyberattack that exposed sensitive personal data from its customer contact system, affecting an estimated 6.2 million accounts. Hackers gained unauthorized access over the weekend of February 7–8 and downloaded names, addresses, mobile numbers, email addresses, bank account numbers, dates of birth and government ID details, though passwords, call records and billing information were not compromised. Odido promptly blocked the intrusion, engaged external cybersecurity experts and reported the incident to the Dutch Data Protection Authority while assuring that its core services remained unaffected. Following a ransom demand from the threat actors, parts of the stolen data were later published on the dark web after Odido reportedly refused to pay.

42. Atlas Air, a major U.S. cargo airline, denied that its systems were compromised after Everest ransomware group added the organization to its leak site. Everest claimed to have pilfered 1.2 TB of sensitive technical information, including Boeing aircraft data. Screenshots, that were provided as proof of claims, included aircraft maintenance and repair reports, repair and logistics documentation, and internal operational corporate files.

43. Akira ransomware group added Canadian retailer Ardene to its leak site and alleges to have stolen 58 GB of data. Ardene notified customers of a cyber incident that impacted its internal systems in January, causing shipping delays. Ardene stated that it was not aware that any customer data had been compromised. Akira claims to have stolen financial data, customer and employee information, and other confidential information.

44. Sakata Seed Corporation reported a cyber incident affecting servers at its US consolidated subsidiary, Sakata America Holdings Corporation Inc. The seed producer is working with U.S. law enforcement and an external cybersecurity firm to investigate the point of infiltration and potential data access. There was no significant disruption to normal business operations. Qilin has claimed responsibility for this attack.

45. A cyberattack on Grund Nursing Home System in Iceland led to the exposure of sensitive information relating to tens of thousands of individuals. The attack caused significant disruption, affecting the operations of the entire organization. It was confirmed that stolen information spans over many years.

46. Livingston HealthCare in Montana stated that its phone systems had been restored following a cyberattack. The attack disrupted communications and led the hospital to take some systems offline. An update in mid-February said that some network services remained limited, but that patient care continues. No ransomware group has stepped forward to take credit for this incident.

47. Washington Hotel, a major hospitality brand in Japan, confirmed that it was the victim of a ransomware attack after unauthorized access to several of its internal servers was detected on February 13, 2026. The breach exposed various business data on the compromised systems, prompting IT teams to immediately disconnect the affected servers from the internet and activate an incident response plan involving police and external cybersecurity experts to assess the impact and contain the threat. While customer information, such as loyalty program data stored on separate third-party systems, is currently believed to be unaffected, some hotel locations experienced temporary issues with credit card terminals and ongoing investigations are underway to determine the full scope and any potential data exposure. No ransomware group has publicly claimed responsibility for the attack.

48. The Cheyenne and Arapaho Tribes of Oklahoma stated that a ransomware attack forced them to shut down tribal computer networks. Email and phone services were disrupted and some operations were temporarily suspended as systems were restored. Rhysida took credit for the attack, demanding a $680,000 ransom in exchange for the stolen data. Tribal leaders stated they would not negotiate or pay and have not confirmed whether data was actually stolen.

49. Seagrass Boutique Hospitality Group confirmed that it fell victim to a cyberattack orchestrated by Kairos ransomware. The cybersecurity incident involved unauthorized access to part of the company’s IT network, prompting the isolated of the affected system. An investigation into the incident remains ongoing. Kairos claimed to have exfiltrated 50 GB of data from the organization, giving a seven-day deadline to meet undisclosed demands.

50. Qilin added Mount Barker Co-operative, a West Australian food co-operative, to its leak site, alongside claims that 40 GB of internal data had been exfiltrated. The stolen data allegedly contains 55,361 files, but sample documents or additional information was available on the dark web listing. The Mount Baker Co-operative has not yet publicly addressed Qilin’s claims.

51. The ransomware group BravoX has claimed responsibility for breaching the systems of the Order of Chartered Accountants of Brittany. The group alleges it exfiltrated thousands of files totaling approximately 859GB of data. Describing the information as highly sensitive, BravoX has issued a 12-day deadline before it plans to publish the stolen data.

52. The Aeromedical Society of Australasia (ASA) was allegedly hacked by LockBit. The not-for-profit was added to the group’s leak site, and while no evidence of the hack was shared, LockBit said it would publish the stolen data on February 26. ASA are aware of the claims made by the notorious ransomware group and has made contact with relevant authorities. The organization did state that it does not hold personal information on its platforms.

53. Major French multinational aerospace, defense, and security corporation Safran Group has denied being impacted by a cyberattack. Allegedly stolen information from its systems had inadvertently exposed by a third-party provider. Safran Group had a data set with over a million lines of data stolen and leaked by a threat actor. Stolen data included names, emails, ERP references, and other order details. The firm did not experience operation disruption or adverse security impact from the incident.

54. OpenLoop Health is facing a potential class action over an alleged cyberattack that may have exposed the health data of 1.6 million people. Threat actors claim to have hacked OpenLoop’s computer system and to have accessed a cache of highly sensitive and private information. The lawsuit alleges OpenLoop failed to notify patients of the data breach.

55. Issaqueena Pediatric Dentistry recently reported a hacking incident that involved unauthorized access to PII and PHI. The incident is still being investigated, so the number of affected individuals has yet to be confirmed. The healthcare provider discovered the intrusion in mid-November when ransomware was used to encrypt files. Interlock claimed responsibility for the attack.

56. AltaMed Health Services Corporation recently alerted patients about a cybersecurity incident that took place in mid-December 2025. The incident limited access to some of its computer systems. Third-party cybersecurity experts were engaged to assist with the investigation, which remains ongoing. It has been determined that the compromised systems contained some patient information.

57. German-based athletic apparel and footwear manufacturer Adidas started an investigation into a potential data breach of one of its independent licensing partners following claims made by a cybercriminal group. An individual claiming affiliation with the Lapsus$ Group posted on BreachForums, asserting that the group had compromised Adidas’ extranet. The post claimed that 815,000 rows of data, including personal information and technical data, had been stolen. Company representatives stated that there is no indication that internal IT systems, e-commerce platforms, or consumer data have been affected by the incident.

58. The Shiny Hunters ransomware group has been associated with a breach involving Figure Technology Solutions, claiming that personal and contact information linked to 967,200 accounts was stolen. The intrusion reportedly involved a limited number of files taken from the company’s internal network. The exposed data is said to include more than 900,000 unique email addresses along with additional personal details. After alleging that Figure declined to pay an undisclosed ransom, the group published 2.5TB of data purportedly taken from thousands of loan applicants.

59. Advantest Corporation, a major Japanese semiconductor test equipment manufacturer, disclosed it is responding to a ransomware incident that was detected on February 15, 2026, after unusual activity was identified within its IT environment. The company immediately activated its incident response plan, isolated affected systems and brought in third-party cybersecurity experts to investigate and contain the breach. Preliminary findings suggest an unauthorized third-party may have gained access to parts of Advantest’s network and deployed ransomware, though no specific ransomware group has taken credit and there is no confirmed evidence of data theft at this stage. Advantest has stated that if customer or employee data is found to have been compromised, affected individuals will be notified directly, and it continues to investigate the full scope of the incident while reinforcing security measures.

60. North East Medical Services (NEMS) notified 91,513 patients of an October 2025 data breach following a cyberattack on its third-party software provider, UnitedLayer. The impacted data includes Social Security numbers and medical information. RansomHouse claimed responsibility for the attack, claiming to have encrypted UnitedLayer’s data and providing evidence packs to prove its claims. UnitedLayer has not confirmed the ransomware group’s claim.

61. Finance platform youX confirmed its systems were accessed by an unauthorized third-party during a cybersecurity incident. A hacker has claimed to have stolen information from 444,528 Australian borrowers including addresses, emails, phone numbers, government IDs and credit information. Another 629,597 loan applications, 229,226 driver’s licence numbers and 607,522 residential addresses were allegedly stolen, along with banking records, customer and staff details from 797 broker organizations.

62. ShinyHunters has claimed responsibility for a major breach of CarGurus, the U.S.-based online automotive marketplace, and published a dataset containing personal information tied to more than 1.7 million accounts after an apparent failed extortion attempt. The leaked archive, roughly 6.1 GB in size, is reported to include names, email addresses, phone numbers, physical and IP addresses, user account IDs, finance pre-qualification application data and dealer subscription information. CarGurus has not publicly confirmed the incident, but the breach has been added to Have I Been Pwned’s database.

63. Catalyst RCM, a U.S.-based medical revenue cycle management provider, confirmed that a ransomware-linked data breach first detected in November 2025 has impacted sensitive information it stored on behalf of healthcare clients. Between November 8 and November 9, 2025, an unauthorized actor used compromised credentials to access a secure file management system and copied data without permission. The compromised information may include names, dates of birth, payment card details, protected health information and insurance data for patients of clients such as Vikor Scientific (now Vanta Diagnostics), KorPath and KorGene, with regulatory filings indicating approximately 139,964 individuals were affected. The ransomware group Everest claimed responsibility on a dark web leak site.

64. WIRX Pharmacy has notified 20,104 individuals of a December 2025 cybersecurity incident that may have resulted in unauthorized access to protected health information. Upon discovering suspicious activity, systems were secured and an investigation was launched. A review of exposed files confirmed that personal and protected health information were present in the files on the compromised parts of its network. The affected data varies from individual to individual.

65. In California, Emanuel Medical Center started notifying current and former patients about a May 2025 security incident. Cybersecurity experts confirmed unauthorized access to the healthcare provider’s network in May, and that files containing personal and protected health information were present on affected systems. Data compromised in the incident varies from individual to individual.

66. Choice Hotels International disclosed that on January 14, 2026, a threat actor used a social engineering attack to gain unauthorized access to an internal application containing records related to franchisees and franchise applicants, despite multifactor authentication being in place. Choice detected the activity and shut it down in less than an hour, then determined through investigation that the accessed records included personal information such as names, contact details, Social Security numbers and dates of birth. The breach appears to be limited to franchisees and applicants rather than hotel guests. Regulatory notices have been filed in multiple U.S. states, though an exact total of impacted individuals has not been publicly disclosed. No ransomware group has claimed responsibility for the incident.

67. In Northern Ireland, Grange Dental Care fell victim to a cyberattack that resulted in fraudulent emails being sent from the practice’s system. The issue was identified quickly, and the practice’s IT provider was contacted immediately to prevent further damage. Certain information was accessed during the attack, but it appears that no sensitive data or personal information was compromised. Investigations remain ongoing.

68. The University of Mississippi Medical Center (UMMC) confirmed that it was hit by a ransomware attack that disrupted its IT network, taking down key systems including its Epic electronic medical records platform and forcing it to shut down clinics statewide and cancel elective procedures while recovery efforts continued. Officials worked with federal agencies including the FBI, CISA and DHS to respond to the incident and restore services. Hospital inpatient and emergency services remained operational using downtime procedures, but phone, email and electronic health systems were offline for days as teams assessed the damage, communicated with the attackers and rebuilt secure infrastructure. UMMC has since begun reopening clinics and rescheduling appointments more than a week after the attack, though the full scope of the breach and whether patient data was accessed has not been publicly disclosed.

69. The Grand Hotel in Taipei issued a warning to customers of a possible data breach after discovering unauthorized access to its information systems. Upon discovering the attack, the hotel disconnected affected systems, conducted a security review and notified relevant authorities to investigate the incident. The Gentlemen ransomware group claimed responsibility for the attack.

70. Wynn Resorts, the luxury casino and hotel operator, was targeted by the ShinyHunters cyber extortion group, which claimed to have stolen more than 800,000 employee records including sensitive personal information. ShinyHunters listed Wynn on its data leak site and demanded 22.34 BTC (about $1.5 million) to delete the data and prevent its public release, setting a deadline for the company to engage with its demands. The stolen records are reported to contain details such as names, Social Security numbers, phone numbers and other PII, though Wynn Resorts has stated its guest operations and physical properties were not impacted. ShinyHunters later removed Wynn’s listing from its leak site, which in some cases indicates negotiations or disputed claims.

71. 56,954 patients have been impacted by a cybersecurity incident involving Greater Pittsburgh Orthopedic Associates. Unauthorized third-party access to its IT network was discovered In August 2025, prompting an investigation into the incident. The forensic investigation determined that personal and health information was compromised during the attack. RansomHouse claimed responsibility for the attack.

72. Air Côte d’Ivoire, the flag carrier airline of Côte d’Ivoire, confirmed it was the victim of a cyberattack after parts of its information systems were breached on February 8. The airline activated its business continuity plans to ensure flights and operations continued normally while technical teams and national cybersecurity authorities investigated the incident. INC ransomware gang claimed responsibility, asserting it had stolen around 208 GB of data and set a ransom deadline, though the airline has not confirmed the exact volume or nature of the compromised information.

73. The French Ministry of Finance disclosed a cybersecurity incident that exposed data associated with approximately 1.2 million user accounts after a threat actor accessed the FICOBA database. An internal investigation determined that a hacker used stolen credentials to access the platform, which records all bank accounts opened by French financial institutions. Information including bank account details, account holder identities, physical addresses, and in some cases, taxpayer identification numbers, may have been compromised. At this time, those responsible for this incident have not been publicly identified.

74. In Thailand, the Sasin School of Management has launched an investigation into a recent cybersecurity incident impacting portion of its IT infrastructure. After detecting suspicious activity, the school took immediate steps to secure its systems and remove unauthorized access. The investigation remains ongoing, and at this stage there is no indication that critical data systems were breached. The Gentlemen ransomware group has claimed responsibility for the incident.

75. Qilin claimed responsibility for a cyberattack on the Transport Workers Union (TWU) Local 100, which represents tens of thousands of New York City transit workers and retirees, including subway, bus and ferry staff. Qilin added the union to its dark web leak site, alleging it had stolen 551 GB of sensitive information during the recent attack. While Qilin did not say how much information was taken or what files were involved, TWU Local 100 disclosed on its website its collection and retention of employees’ contact details, salary information, job titles, medical and insurance benefits, and retirement and pension planning information had been impacted.

76. UFP Technologies, a U.S.-based medical device and industrial component manufacturer, disclosed it was the victim of a cyberattack that disrupted parts of its IT environment and prompted the company to take affected systems offline as part of its response. The incident resulted in the encryption of certain data and temporarily impacted business operations while the organization worked with external cybersecurity experts to investigate and restore systems. UFP notified regulators and began reaching out to potentially affected customers, vendors and employees as part of the remediation process. No known ransomware group has claimed responsibility for this attack.

77. INC claimed responsibility for a cyberattack which caused disruption to the City of Cocoa in Florida. The city was forced to navigate a significant number of municipal IT issued that severely impacted local government operations. In response to the system failures, the City Council issued an emergency declaration and expedited the allocated of resources for system restoration and forensic investigation. INC added a number of leak documents to its leak site to substantiate the claims but did not give information on the amount of data allegedly exfiltrated.

78. In mid-February, the Qilin ransomware group listed Western Australia-based electronics retailer Esperance Communications on its dark web leak site, alleging it had stolen 14GB of data comprising more than 16,000 files. However, the group did not publish any screenshots or supporting documents to substantiate its claims.

79. Pathstone Family Office, a U.S.-based financial services firm, confirmed that it suffered a data breach after the ShinyHunters cybercriminal group published sensitive information on its leak site. According to the threat actor, the stolen dataset, consisting of 641,000 records, included financial documents and personally identifiable information tied to clients and employees, and was posted after the company reportedly declined to meet an unspecified ransom demand. While Pathstone acknowledged the incident and has been notifying affected individuals, it is working with cybersecurity specialists to assess the full scope of the exposure.

80. Hong Kong’s popular Ngong Ping 360 cable car attraction disclosed that it was the victim of a ransomware attack which resulted in the theft of personal data from its systems. The breach exposed information belonging to visitors who had purchased tickets online, including names, phone numbers, email addresses and payment card details, prompting the operator to report the incident to the Hong Kong Privacy Commissioner for Personal Data and offer support to those affected. Local authorities and cybersecurity experts were engaged to investigate the incident and strengthen defenses against future attacks.

81. Malaysia’s flag carrier Malaysia Airlines was listed by the Qilin ransomware group on its dark web leak site as a victim of a cyberattack, with the threat actor claiming to have exfiltrated sensitive data and threatening its public release unless negotiations take place. As of now, no proof or samples of stolen information have been published, and Malaysia Airlines has not officially confirmed the scope of the breach or what specific data, if any, was accessed.

82. 2,500 individuals have recently been notified of a ransomware attack on Apex Spine & Neurosurgery, which led to the compromise of their electronic protected health information. During the December attack, threat actors accessed its network and used ransomware to encrypt files. A forensic investigation confirmed that files were also accessed and copied during the incident. PII, PHI and some financial information was involved in the attack. Interlock ransomware group claimed responsibility for the attack, allegedly stealing 20 GB of data. Interlock proceeded to leak the stolen information as the ransom was not paid.

2026 opened with 91 publicly disclosed ransomware attacks. Healthcare was the most targeted sector with 27 incidents, followed by government with 11 and manufacturing with 10. Notably, 49% of the attacks recorded this month have not yet been publicly claimed by a known ransomware group. Among the claimed attacks, Qilin once again led activity with eight incidents, while 19 other groups were also linked to ransomware activity. The USA accounted for 58% of disclosed attacks, with organizations across 22 other countries also impacted, highlighting the truly global reach of ransomware.

Keep reading to find out who made ransomware headlines in January.

1. Kid’s footwear operator Esquire Brands was reportedly targeted by the Play ransomware group, which claims to have stolen sensitive company data. The group listed Esquire Brands on its dark web leak site and threatened to publish the data on January 3, 2026, if no contact was made. According to the post, the alleged data includes client documents, payroll records, financial information, and other confidential materials. Esquire Brands has not publicly acknowledged or commented on these claims.

2. Claims administration firm Sedgwick confirmed a cybersecurity incident at its government-focused subsidiary after the TridentLocker ransomware group publicly claimed responsibility for stealing approximately 3.4 GB of sensitive data. The affiliate, Sedgwick Government Solutions, which provides risk management and claims services to several U.S. federal agencies, was listed on TridentLocker’s dark web leak site on December 31, 2025, with the attackers threatening to expose the stolen information. Sedgwick said it activated incident response protocols, engaged external cybersecurity experts and notified law enforcement, emphasising that the breach was limited to an isolated file transfer system with no evidence of impact on broader systems or its ability to serve clients. 

3. U.S. hot sauce and food products manufacturer Garner Foods, known for brands like Texas Pete, was claimed as a victim by Play, which posted the company on its dark web leak site in early January 2026, warning it would publish allegedly stolen data if contact was not made by January 7. According to the Play dark web post, the alleged data includes confidential information, client records, budget and payroll details, though the extent of the compromise and volume of data taken has not been publicly verified. Garner Foods has not yet issued a public statement confirming or addressing the ransomware group’s claims.

4. New Zealand–based patient portal ManageMyHealth was the target of a significant ransomware attack, during which Kazu reportedly breached the platform, exfiltrating hundreds of thousands of sensitive medical records affecting over 120,000 users. The attackers demanded a ransom, reportedly around $60,000, and threatened to publicly release the stolen data. ManageMyHealth secured its systems, notified authorities and sought a High Court injunction to block dissemination of the files. ManageMyHealth publicly confirmed the cybersecurity incident, acknowledging the breach’s impact on a portion of its user base, and is working with law enforcement and regulators while notifying affected patients, although questions remain about the full scope and response to the compromise.

5. In Canada, Leduc County became aware of a ransomware incident that had taken place on December 25,2025. The attack disabled some of the county’s IT systems, including its email platform and website form submissions. Some other IT systems were proactively disabled during an ongoing forensic investigation. No known ransomware group has claimed the attack.

6. Florida-based engineering firm Pickett and Associates was reportedly the subject of a significant cyberattack in early January, with an unknown threat actor claiming to have stolen approximately 139 GB of sensitive engineering and infrastructure data tied to major U.S. utilities such as Tampa Electric Company, Duke Energy Florida, and American Electric Power. The group is offering the data for sale on a dark web forum for around 6.5 BTC (about $580,000). The alleged haul includes raw LiDAR point cloud files, orthophotos, design files and other operational project data believed to relate to active utility infrastructure work. Pickett and Associates has not publicly confirmed the breach, and investigations into the claim are reportedly underway by affected clients.

7. A recent cyberattack on third-party payment processor Global-e exposed personal data for customers of companies using its services, including hardware wallet maker Ledger. Hackers accessed names and contact information stored in Global-e’s systems for order processing, although neither Ledger’s internal systems nor sensitive wallet security details like recovery phrases or private keys were compromised. Affected customers have been notified. It is not yet known who is responsible for this attack. 

8. More than one year after a ransomware attack, Denton County MHMR Center, reported a major data breach that involved the unauthorized access to PHI of 108,967 current and former patients. Potentially compromised information includes medical history information, treatment information, insurance data and biometric identifiers.

9. U.S. fiber broadband provider Brightspeed is investigating claims by the cybercriminal group Crimson Collective that it accessed and exfiltrated sensitive data for over 1 million customers, including names, contact details, billing information and partial payment card data. The group announced the alleged breach via its Telegram channel in early January with a threat to release or sell the information publicly, posting sample records as purported proof. Brightspeed has not confirmed a breach of its systems or the extent of any data exposure and says it is actively reviewing the situation and keeping customers and authorities informed as its internal investigation continues.

10. Everest claimed that it had exfiltrated approximately 186 GB of sensitive data from global insurtech platform Bolttech, threatening to publish the information if its demands were not met. The group posted alleged proof on its dark web leak site, stating the data includes employee and agent account details, customer contact information, insurance policy records, mortgage-related files and other operational materials. Bolttech has not publicly confirmed or commented on the claims.

11. Australian car rental excess insurer Prosura disclosed a significant data breach and cyber incident after unauthorized access to parts of its internal IT systems was detected on January 3. The threat actor responsible for the incident obtained customer personal and policy information and began contacting customers with fraudulent communications. The compromised data is reported to include names, email addresses, phone numbers, travel and policy details, and, for some claimants, driver’s licence images, with attackers subsequently posting samples of the stolen records on criminal forums and attempting to sell them. Prosura took key online services offline, notified regulators and external cybersecurity experts, advised customers to be cautious of phishing attempts, and said it is investigating and securing its systems, emphasizing there is no evidence that payment card details were accessed.

12. Gulshan Management Services confirmed that it had notified 377,082 people about a September 2025 data breach that compromised personal information. The gas station operator informed victims that a successful phishing attack allowed unauthorized access to its systems. The unknown attackers also encrypted portions of GMS’s network. Compromised information includes names, SSNs, credit and debit card numbers, driver’s license numbers, and contact info. 

13. ASX-listed gold producer Regis Resources confirmed it had experienced a cybersecurity incident after the Lynx group claimed responsibility for an attack and listed a subsidiary, McPhillamys Gold, on its dark web site. Regis stated the activity was detected in November 2025 and that its security controls responded as designed, with a subsequent forensic investigation finding no evidence of data exfiltration and no ransom demand. The company said relevant authorities were notified and confirmed the incident had no material impact on operations or commercial activities.

14. Anubis ransomware group claimed that it had breached the systems of Australian medical clinic Laidley Family Doctors, listing the practice on its dark web leak site and alleging exposure of sensitive information. According to the group, data such as names, gender, Medicare details, and medica history, was compromised during the incident. Data samples were also shared on the dark web as proof of claims. Laidley Family Doctors has not publicly confirmed or commented on the ransomware claims.

15. Lynx claimed responsibility for a cyberattack on St Joseph’s College Echuca, posting the Australian Catholic co-educational school on its dark web leak site and asserting it had encrypted or breached the college’s network and obtained data. According to the group’s listing, the incident was disclosed on January 5, though no proof was provided and the full details of any data compromise remain unclear. St Joseph’s College Echuca has not publicly responded to or confirmed the ransomware claims.

16. Bosch Choice Welfare Benefit Plan disclosed a data breach after unauthorized access to its systems exposed sensitive personal and health information of approximately 55,000 individuals. Compromised information included names, SSNs, DOBs, health insurance details, medical claims data and information related to medical conditions. 

17. Pearlman Aesthetic Surgery reported a breach of protected health information of 11,764 individuals. The specifics of the breach have not yet been disclosed, other than it being a hacking/IT incident.

18. Associated Radiologists of the Finger Lakes announced that it had identified unauthorized access to its computer network in October 2025. An investigation confirmed unauthorized access led to patient data being viewed or copied. The file review is currently ongoing but at this stage it is believed that both PII and PHI were compromised as a result of the incident.

19. Andover Eye Associates in Massachusetts announced that it experienced an email security incident that exposed the data of 1,638. An investigation confirmed that an unauthorized third party had accessed the accounts in May, leading to the exposure of sensitive information. The accounts contained patient names and social security numbers. It is not clear who is responsible for the attack.

20. Legal firm Gorlick, Kravitz & Listhaus announced that a September 2025 data breach had compromised sensitive personal information belonging to its clients. Information impacted varies depending on the individual, but names and SSNs were among the data types stolen. Akira claimed responsibility, allegedly exfiltrating 22 GB of data from the organization. 

21. Qilin claimed responsibility for a cyberattack on Italian water-sports equipment manufacturer Cressi, posting the company on its dark web leak site on January 8, 2026 and threatening to release sensitive data unless contact was made. According to the public listing, Qilin alleges it breached the organization’s systems, though it has not published data samples or detailed what information may have been accessed, and the extent of any exfiltration remains unclear. Cressi has not publicly confirmed or addressed these claims.

22. Details of a November attack on Royal Borough of Kensington and Chelsea Council in London emerged detailing an attack that affected shared IT systems with neighbouring councils, leading to widespread disruption of services and confirmed unauthorized data copying by the attackers. The council acknowledged that some sensitive information was copied and taken from its network, with investigations ongoing to determine the full scope of the breach and whether personal or financial details were involved. Residents were warned to be vigilant against potential scams using the compromised information. The incident prompted notification of the Information Commissioner’s Office, involvement of the National Cyber Security Centre and Metropolitan Police, and communication to more than 100,000 households about possible risks stemming from the breach.

23. The Pell City School System informed parents of a data breach stemming from a ransomware attack in late 2025. The superintendent said the district’s student information system was not impacted, though a third-party vendor experienced a security incident that resulted in data theft. While the district has not provided further details about the information involved, it confirmed in its parent notification that it will not pay the ransom. The Safepay ransomware group claimed responsibility for the attack in December 2025 but did not release additional details about the breach.

24. Hale Makua Health Services, a non-profit healthcare provider based in Maui, Hawaii, reported a ransomware related data breach to the U.S. Department of Health and Human Services after the Qilin ransomware group claimed responsibility. The group alleged it had accessed the organization’s systems and posted sample screenshots on its dark web portal as proof of access. The specific types of information exposed have not been publicly detailed. The HHS breach listing currently reflects a provisional figure of 500 affected individuals, which is expected to be updated following the completion of an internal investigation.

25.  Anubis ransomware group publicly claimed responsibility for a cyberattack against Chilean energy and resources company Copec S.A., alleging it exfiltrated a substantial volume of corporate data, threatening to release the information unless negotiations occurred. According to the group’s posts, roughly 6 TB of sensitive data was taken and included internal documents, communications and employee-related files, though these claims have not been independently verified. Copec acknowledged the incident and said it detected and contained the activity without impacting operations or customer personal data, but details about the scope of the alleged data compromise remain unclear as the situation continues to be investigated.

26. The City of Midway, Florida, confirmed that its police department’s SmartCOP cloud-based records system was compromised in a ransomware incident, disrupting access to police documents and public records and prompting an ongoing investigation by local law enforcement. Officials said the breach may have affected sensitive public records and warned residents to be cautious of suspicious communications that could be tied to the incident, though details about what specific data was impacted have not been disclosed. The situation came to light after community members reported difficulties obtaining records, and authorities are urging vigilance while the investigation continues.

27. A class-action lawsuit alleges that premier Manhattan plastic surgeon Dr Richard Swift’s office was compromised in an apparent malware attack that resulted in the theft and public posting of highly sensitive patient information, including nude images, Social Security numbers, medical and financial records, and other personal data for at least 22 individuals on a Russian-hosted website. According to court filings, some patients only discovered their private images had been published after the hackers contacted them directly, and the suit claims the surgeon’s office failed to notify patients or authorities about the breach as required by law, leaving victims exposed to risks of identity theft, fraud and emotional distress. Plaintiffs allege the practice’s computer systems were inadequately protected, that multiple requests for information were ignored, and that the website remained active for months before it went offline, with the surgeon’s office declining to comment when contacted for a response.

28.  Everest ransomware group claimed responsibility for a major cyberattack on Japanese automaker Nissan Motor Corporation, alleging it exfiltrated approximately 900 GB of internal data from the company’s systems and posting sample screenshots on its dark web leak site to support the claim. According to analysis of the shared samples, the alleged data includes internal documents such as dealership records, program files, and operational folders, and the group has reportedly given Nissan a deadline to respond before publishing the full dataset publicly. Nissan has not publicly confirmed or denied the breach claim.

29. The nonprofit behavioural healthcare organization The Devereux Foundation was reportedly targeted by The Gentlemen ransomware group, which claimed to have breached its systems, posting an extortion notice on a dark web forum, warning that sensitive organizational data could be leaked unless contact was made. According to public breach notifications, the foundation detected suspicious activity and moved quickly to isolate affected systems and engage cybersecurity specialists, and it acknowledged that information related to employees, clients, donors, payors and partners may have been involved, including names, demographic, clinical and financial details. The investigation into the scope of the incident is ongoing. 

30. The University of Hawaii Cancer Center suffered a ransomware attack that compromised servers supporting its research operations, resulting in the encryption of files and unauthorized access to sensitive research data, including documents containing Social Security numbers and other personal information of study participants. The centre said the breach did not affect clinical operations or medical treatment systems, and it engaged external cybersecurity experts to isolate affected systems, obtain decryption tools and work toward securing the destruction of data accessed by the attackers. 

31. Six months after the initial attack, Canopy Health notified some patients of a cyberattack which led to patient details being compromised. A statement from the healthcare provider confirmed that in mid-July unauthorized individuals gained access to part of its systems used by the administration team. While an investigation remains ongoing, Canopy noted that the threat actors may have accessed a small number of bank account numbers. 

32. South Korean conglomerate Kyowon Group, which operates across education, publishing and consumer services, confirmed it was hit by a ransomware attack that disrupted operations and may have exposed customer data, prompting an ongoing investigation with national authorities and external cybersecurity experts. Government investigators estimate that the incident could potentially affect up to 9.6 million user accounts, with abnormal activity detected across a large portion of the company’s servers and signs of a possible data leak under review. Kyowon has stated it is assessing the scope of the breach and has not yet confirmed whether personal data was actually accessed, and it plans to notify users transparently if a leak is verified. 

33. Avosina Healthcare Solutions confirmed that it notified 44,425 people of a July 2025 data breach that compromised names, addresses, medical info, and health insurance info. Qilin took credit for the incident in August, posting sample images as proof of claims on its dark web leak site. These images included an employee payslip, a medical intake form, a business contract, an invoice, and a medical report. 

34. Dublin Medical Center in Georgia recently started notifying individuals affected by an October 2025 cybersecurity incident. Suspicious activity was identified within its computer network, but it has not been confirmed when the unauthorized access started. The review of files confirmed that patient data was compromised in the incident, and that data types varied from individual to individual. The incident has impacted 32,090 patients. 

35. Vida Y Salud-Health Systems reported a data breach involving the unauthorized access to protected health information of 34,504 Texas residents. An investigation into the October attack has concluded and confirmed that names, addresses, dates of birth, SSNS, driver’s license numbers, account numbers and claims numbers had been stolen. 

36. An unknown threat actor posted claims on dark web forums that they had obtained and were offering for sale internal data from U.S. retail giant Target, including an estimated 860 GB of source code, system configuration files and developer documentation tied to critical internal projects such as digital wallet services, networking tools and identity systems. Sample data was briefly made available in public repositories to demonstrate access before those resources were taken offline, and Target reportedly restricted access to its internal development infrastructure in response. The company has not publicly confirmed a breach or addressed the claims directly.

37. Appalachian Community Federal Credit Union notified 30,797 individuals about an October 2025 data breach. The breach compromised names, SSNs, and financial account info. Qilin took credit for the incident and claimed to have stolen 75 GB of data.

38. The Department of Education in Victoria, Australia confirmed that an unauthorized third party gained access to its education network, exposing personal information for current and former government school students across the state’s system. Attackers accessed student names, school-issued email addresses, year levels, school names and encrypted passwords stored in a central database, prompting the department to implement safeguards, temporarily disable affected systems and reset all student passwords as a precaution. The department said there is no evidence the accessed data has been publicly released or shared. Authorities, including the Office of the Victorian Information Commissioner, are now investigating the breach.

39. European travel company Eurail B.V., which operates the Interrail and Eurail pass systems, disclosed a data security breach in which unauthorized access to its customer database resulted in the exposure of sensitive personal and travel information. The compromised information is reported to include names, contact details, home addresses, dates of birth and, for some travellers, particularly participants in the EU’s DiscoverEU programme, passport details, bank account references and health data. The total number of affected individuals has not been disclosed and there is currently no evidence the data has been publicly misused. Eurail said it secured the affected systems, engaged external cybersecurity specialists and notified relevant data protection authorities while continuing its investigation and directly informing impacted customers.

40. Belgian hospital network AZ Monica was hit by a ransomware attack that forced the proactive shutdown of its IT servers, disrupting access to electronic medical records and leading to the cancellation of scheduled procedures and the transfer of critical patients to other hospitals as a precaution. With emergency departments operating at reduced capacity and paper-based processes in place, hospital leadership emphasised that patient safety and continuity of care remained the top priority while authorities and cybersecurity teams investigate the incident. There is no confirmed public disclosure that patient data was exfiltrated, and unverified reports of a ransom demand have not been confirmed by officials.

41. In Texas, Spindletop Center notified victims of a September 2025 ransomware attack which led to personal information being compromised. The attack rendered systems and servers inoperable for a limited time. Rhysida claimed to have stolen personal records belonging to 100,000 people, posting images on its dark web site as proof of claims, and demanding a ransom of 15 BTC (around $1.65 million). 

42. The Land and Agricultural Development Bank of South Africa (Land Bank) experienced a major IT systems disruption that took key services and internal systems offline as the organization investigated a suspected cyber incident affecting its operations. The bank said affected systems were taken offline as a precaution to protect its infrastructure and that internal teams, supported by external specialists, were working to restore full functionality and assess the cause of the outage. It is not yet clear if any information has been stolen during the incident. 

43. Ju Teng International Holdings Limited disclosed a data security incident after discovering a post on a dark web forum offering access to sensitive information reportedly obtained through a cyberattack targeting certain company laptops. Compromised data is said to include client names, project details, customer and supplier contact lists, and product information, and the company has launched an investigation and engaged cybersecurity specialists to assess the full scope and strengthen its security posture. INC was responsible for the attack, claiming to have stolen 200 GB of data. 

44. The Irish agri-trading company J Grennan & Sons was listed as a victim by the Akira ransomware group, with the threat actors claiming on a dark web leak site that it had targeted the business, threatening to publish sensitive financial and personal information, including invoices and employee and customer records. J Grennan & Sons confirmed it was the victim of a cyberattack that significantly disrupted operations and engaged external cybersecurity experts, and said it is “reasonably confident” that data held on its systems had not been accessed.

45. Spanish energy provider Endesa, one of the country’s largest electricity and gas companies, confirmed that it detected unauthorized access to its commercial platform, resulting in the exposure of customer personal and contract-related information and triggering an ongoing cybersecurity investigation. A threat actor on dark web forums claimed to have obtained a large database, allegedly over 1 TB of data tied to more than 20 million individuals, including names, contact details, national identity numbers, energy contract information and, in some cases, bank IBANs. 

46. Genesis claimed responsibility for a December 2025 ransomware attack on Upper Township, New Jersey. Genesis claimed to have stolen 100 GB of data from official servers, threatening to publish it if an undisclosed ransom was not paid. The data is said to include financial and personal information. Township officials claim that an investigation into the incident is ongoing, but that they are aware of the data posted on the dark web. 

47. U.S. food delivery platform Grubhub confirmed that hackers gained unauthorized access to certain internal systems and stole company data, prompting an ongoing investigation and involvement of law enforcement and external cybersecurity specialists. The company said that while financial information and order histories were not affected, attackers did extract data from some systems.  Sources have indicated the ShinyHunters group is attempting to extort Grubhub by threatening to leak Salesforce and Zendesk-related information unless they are paid a ransom. Grubhub responded by stopping the activity, strengthening its security posture and working to contain the incident, but has not disclosed the full extent or specific nature of the compromised data.

48. The Port System Authority of the Central Adriatic Sea (Ancona) was hit by a cyberattack that resulted in data theft and publication on the dark web. The Anubis ransomware group exfiltrated approximately 56,000 files across 8,000+ folders, including internal administrative documents and employee-related data (potentially HR and sensitive records). The Authority stated the stolen material represented roughly 2% of its overall data, and the incident occurred during a broader IT migration to Italy’s national strategic infrastructure.

49. Qilin ransomware group publicly claimed responsibility for a cyberattack on Moen, the U.S.-based manufacturer of faucets and plumbing fixtures, posting the company on its dark web leak site and warning that sensitive data would be released unless contact was made. Qilin has not disclosed how much data it may have exfiltrated nor released any sample files alongside its listing. Moen has not publicly addressed the claims. 

50. NightSpire ransomware group claimed it breached systems at the Hyatt Place Chelsea New York hotel, alleging it exfiltrated roughly 48.5 GB of sensitive data and posting samples on a dark web leak site to support its claim. Stolen files reportedly include internal documents such as invoices, expense reports with employee names and contact information, signatures, partner company data and potentially employee login credentials. 

51. Chinese electronics manufacturer Luxshare, a key assembler for major tech companies including Apple, Nvidia and Tesla, was reportedly the target of a ransomware attack orchestrated by RansomHouse. The ransomware group claimed to have infiltrated its systems, stealing more than 1 TB of confidential data, including engineering files such as 3D CAD models, circuit board designs, internal product documentation and employee personal information. According to threat actor posts on dark web leak sites, the stolen data spans projects tied to multiple high-profile clients and could enable reverse-engineering, production of counterfeit products or targeted attacks. Neither Luxshare nor affected partners have publicly confirmed the breach or commented on the claims.

52. TotalEnergies is investigating claims of a large-scale data breach after a hacking group began posting samples of what it says is a database of nearly 184 million customer records on social media and cybercrime forums. The attackers assert the exposed information includes email addresses, client IDs, bank account numbers, home addresses, phone numbers and other personal details tied to customers of the French energy giant’s services. TotalEnergies has not confirmed a breach or validated the data, and the full scope and authenticity of the alleged incident remain under review.

53. A serious cyberattack caused an extended closure at Higham Lane School in the UK and, while the school has since reopened, staff continued to face significant limitations in accessing IT systems. The incident disabled core digital infrastructure, preventing the school from operating essential safety and administrative systems. It was also confirmed that data was removed during the attack, although the school has not disclosed what types of information may have been impacted.

54. Imperial Beach Community Clinic recently disclosed a cybersecurity incident and data breach that was identified almost one year ago. Unusual activity was detected within the healthcare provider’s email environment in mid-April 2025. An investigation determined that an unauthorized individual had access to certain email accounts, and certain information had been acquired. Compromised data includes both PII and PHI of an undisclosed number of individuals. 

55. In Wisconsin, Valley Eye Associates announced that it fell victim to a ransomware attack in early October 2025. An investigation determined that a ransomware group had access to its network for a one-day period, during which time files were exfiltrated from its network. Qilin claimed responsibility for the attack and published the stolen data which they claimed to be 139 GB. 

56. The Canadian Investment Regulatory Organization (CIRO), Canada’s national self-regulatory body for investment dealers and market activity, confirmed that a sophisticated phishing attack led to a significant data breach affecting approximately 750,000 Canadian investors, with threat actors accessing and copying sensitive personal and financial information. Stolen data includes dates of birth, phone numbers, annual income, social insurance and government-issued ID numbers, investment account numbers and account statements. CIRO said it contained the incident, engaged external forensic experts, found no evidence the stolen data has been misused or appeared on the dark web.

57. The Ayuntamiento de Beniel (Beniel Town Hall) in Spain experienced a serious cybersecurity incident that temporarily knocked its municipal IT systems offline, disrupting regular administrative operations and forcing staff to work manually while services were restored. Local officials activated security protocols and are working with regional and national cyber authorities to investigate the extent and impact of the breach, though details about any specific data compromise have not been disclosed. The Gentlemen ransomware group claimed responsibility and threatened to publish sensitive information unless contact was made.

58.  Everest claimed responsibility for a cyberattack on ASRock Rack, a major server and datacenter hardware manufacturer, alleging it exfiltrated approximately 509 GB of sensitive data including technical documentation, firmware, software, BIOS files, diagnostic tools and baseboard management controller (BMC) firmware. The listing on Everest’s dark web leak site also included screenshots posted as proof of claims. ASRock Rack has not issued a public confirmation or detailed response to the claims.

59. Reproductive Medicine Associates of Michigan (RMAM) informed patients of a recent cyberattack in which unauthorized threat actors accessed its network and stole sensitive data. The organization identified suspicious activity and took immediate steps to secure its IT environment. The specific types of information affected have not yet been confirmed, and the investigation into the scope of the incident is ongoing.

60. Indian music streaming platform Raaga confirmed a major data breach in which unauthorized access to its systems resulted in the exposure of personal information for approximately 10.2 million users, with the stolen dataset subsequently offered for sale on underground cybercrime forums. The compromised information reportedly includes email addresses, names, gender and age details, geographic location data and passwords hashed using unsalted MD5. Raaga has not released detailed disclosures about how the breach occurred or what specific systems were affected.

61. The Minnesota Department of Human Services started notifying nearly 304,000 individuals after unauthorized access was identified within its MnCHOICES system. An investigation determined that for most of the individuals affected, stolen information was limited to demographic data.  For 1,206 individuals, additional information was accessed, including some medical details. No known threat actors have stepped forward to claim responsibility for the incident. 

62. Genesis added Advanced Family Surgery Center (AFSC) to its dark web leak site, claiming to have exfiltrated 100 GB of data. Compromised data allegedly includes healthcare data, financial data, operational data and personal information. A file tree was also added to the dark web post, listing files in the exfiltrated data. According to the threat actors, AFSC was made aware of the incident in late November, with a spokesperson even showing up to negotiate at one point. AFSC has not publicly addressed these claims. 

63. Dermatology Associates in Kentucky announced that an August 2025 security incident may have resulted in unauthorized access to patient data. An investigation into the incident confirmed that the unauthorized access over a two-month period resulted in the exposure of confidential information. It is not known who is responsible for the attack. 

64. Everest ransomware group claimed responsibility for a major breach targeting McDonald’s India, alleging the exfiltration of approximately 861 GB of sensitive data, including internal company documents and personal customer information such as contact details and business records. The attackers published samples on a dark web leak site and set a deadline for a response before threatening wider data release. McDonald’s India has not yet publicly confirmed the incident.

65. Technology company Paylogix announced it had experienced a data breach in which sensitive personal information may have been compromised. The organization experienced network disruption involving certain computer systems. Akira claimed responsibility for the attack, allegedly exfiltrating 185 GB of data. 

66. French authorities launched a preliminary investigation after a cyberattack on Waltio, a cryptocurrency tax reporting platform used by thousands of investors. Hackers believed to be the group Shiny Hunters accessed and attempted to extort data tied to approximately 50,000 users, including email addresses and summary information from 2024 tax reports such as crypto holdings and balances, although Waltio says sensitive credentials and funds were not compromised.

67. Dresden State Art Collections suffered a targeted cyberattack that disrupted large parts of its digital infrastructure, severely limiting online services like ticketing, visitor support and the museum shop. While physical security systems and museum operations remained intact, digital and telephone systems were largely offline as IT and forensic teams worked to restore services, and investigations continue in coordination with police and state authorities. Details on data theft or specific exfiltrated information have not been disclosed, and the identity of the attackers remains unknown.

68. Rogers Capital Credit, a financial services firm in Mauritius, suffered a data breach during which customer information was obtained and published on the dark web. The exposed records, primarily dating up to December 2022, include highly sensitive personal data such as copies of passports and national ID cards, proof of address, income documentation, and for some clients, banking, credit and civil status information. The Bank of Mauritius has warned the public to exercise vigilance, monitor financial accounts closely, and be alert for potential fraud and phishing attempts as the full scope of the incident continues to be assessed. The Gentlemen ransomware group claimed responsibility for this attack.

69. Nike is investigating a potential data breach after the cybercrime group WorldLeaks publicly claimed to have stolen and leaked approximately 1.4 TB of internal data from the company, including more than 188,000 files related to product design, manufacturing, supply chain and operational information. While Nike has confirmed it is assessing the situation, emphasizing its commitment to data security, it has not yet verified the full scope or confirmed whether customer or employee personal data was exposed.

70. The New York-based Civil Service Employees Association confirmed that a data security incident it experienced last year compromised the sensitive personal information of 47,352 individuals. Upon discovering the unauthorized activity, CSEA took immediate action to secure the network, while notifying relevant law enforcement authorities. The compromised data includes names and other personal identifiers such as SSNs. No known hacker group has claimed responsibility for the attack. 

71. Columbia Medical Practice confirmed that patient information was compromised during a ransomware attack in November 2025, exposing the sensitive personal and medical data of up to 3,000 individuals. Threat actors exfiltrated data before deploying malware that encrypted files on certain systems. Columbia Medical Practice stated that its electronic medical record system was not accessed during the incident. Qilin took credit for the attack. 

72. MACT Health Board notified individuals affected by a November 2025 security incident which caused disruption to its IT systems. An investigation confirmed that an unauthorized third party had accessed its computer network and exfiltrated sensitive patient information. Rhysida claimed responsibility for the attack and uploaded samples of identity documents to its leak site as proof of claims, demanding a ransom of 8BTC ($622,000). 

73. TriCity Family Services started notifying 2,511 patients about a data security incident which took place in Spring 2025. An investigation revealed that an unauthorized threat actor had access to its computer systems for around 6 months, during which time sensitive data was exfiltrated. INC took credit for the attack, claiming to have exfiltrated 22 GB of data from the healthcare provider. 

74. Enviro-Hub Holdings Ltd. disclosed that it was the victim of a ransomware attack, during which an unauthorized party gained access to its group servers. The company implemented containment and remediation measures and engaged external experts to investigate the incident, which has not yet been determined to have materially impacted operations, and is still assessing the scope of any data accessed or exfiltrated. Enviro-Hub has also reported the incident to Singapore’s Personal Data Protection Commission as part of its ongoing response.

75. Laurel Health Centers confirmed that an unauthorized third party accessed portions of its email environment in July 2025, potentially exposing sensitive patient information. An examination of affected email accounts found that data, including both PII and PHI, were viewed. The data involved varies by individual.  At this time, no ransomware group has claimed responsibility for the attack. 

76. Rhysida took credit for a November 2025 ransomware attack on Cytek Biosciences in California. The organization sent data breach notices to 331 people in November, alerting them to the fact that personal information was exposed during the incident. Rhysida added Cytek to its leak site, with a number of images posted as proof of claims. The dark web post now states that all of the data taken during this attack has been sold. 

77. Apparel company FullBeauty Brands confirmed that it notified at least 1,191 people of an October 2025 data breach that compromised names and SSNs. Everest took responsibility for the incident in mid-November and intentionally leaked all of the supposedly stolen data on its dark web site after FullBeauty failed to respond to the ransom deadline. 

78. Clop ransomware group claimed responsibility for a cyberattack targeting Hilton Hotels, posting the hospitality giant on its dark web leak site. Clop has not backed up the claim with evidence such as data samples and has not disclosed how much data was allegedly exfiltrated. Hilton has stated it has no evidence that its systems or data were compromised. The situation remains under investigation, and Hilton continues to assess any potential impact.

79. Nova ransomware group has claimed responsibility for a cyberattack on KPMG Netherlands, listing the firm on its dark web leak site and threatening to publish up to 500 GB of allegedly stolen data if ransom demands are not met. The group reportedly posted the claim on 23 January 2026, stating it had exfiltrated sensitive information and issuing a 10-day ultimatum for negotiations. KPMG has denied that its systems were compromised and says it is monitoring the situation, meaning the scope and authenticity of the alleged breach remains unverified while investigations continue.

80. It was revealed that individuals who received services from Mitchell County Department of Social Services have had their sensitive information stolen in an October ransomware attack. The attack encrypted files and caused email and phone outages for a number of days. A forensic investigation revealed that there had been unauthorized network access for four days in October, during which time files were exfiltrated. The data review and investigation remain ongoing to determine the types of information involved and the individuals affected.

81. Sanxenxo City Council in Spain has been hit by a cyberattack that encrypted data and compromised thousands of administrative documents, disrupting municipal operations. The attackers reportedly demanded a ransom of $5,000 in Bitcoin in exchange for releasing the encrypted files, but the city has indicated it plans to recover without paying.

82. Crunchbase has confirmed a data breach after the ShinyHunters hacking group leaked millions of records online. The exposed information included usernames, email addresses, hashed passwords and API keys, and was first posted on cybercrime forums before being shared more widely. Crunchbase says it has reset compromised credentials, notified affected users, and implemented additional security measures.

83. Russian security systems provider Delta, which manages alarm and vehicle security services, was hit by a large-scale cyberattack that caused widespread service outages across its home, business and car alarm platforms. Delta acknowledged the incident as a “large-scale, coordinated and well-organized” external attack and said its technical teams are working to restore systems after phone lines and its website went offline. Customers reported being unable to deactivate alarms or unlock vehicles, and some experienced vehicle systems malfunctioning due to the disruption. While Delta maintains no customer personal data has been confirmed leaked, an anonymous Telegram channel claiming to be linked to the attackers published an alleged stolen data archive. 

84. 360 Dental in Philadelphia reported a data breach that affected 11,273 individuals. A ransomware attack in November led to the encryption of files and the exposure of sensitive patient data. The types of data involved varies from individual to individual and includes names in combination with other PII and PHI. 

85. Langley Twigg Law, a New Zealand law firm, is investigating a cyberattack attributed to Anubis after the hackers posted employee and client passport scans and other sensitive documents on an underground forum. The breach involved unauthorized access to its systems and theft of personal identity information, prompting the firm to engage forensic experts, notify authorities and affected individuals, and take systems offline while it works to contain the impact.

86. Auckland-based Brinks Poultry Ltd has allegedly been hacked by the Clop ransomware group, with the threat actors claiming to have stolen internal company data and listing the business on Cl0p’s dark web leak site. The incident reportedly involved unauthorized access and exfiltration of internal documents, and attackers are using extortion tactics to pressure the company into contacting them. Brinks Poultry is currently assessing the scope of the breach, engaging cybersecurity experts, and working to contain and remediate the incident.

87. Winona County, Minnesota, experienced a ransomware attack that disrupted several county systems, forcing the IT department to take multiple networks offline to contain the incident. The breach affected services including tax and motor vehicle systems, and the county confirmed it was working with law enforcement and cybersecurity partners to investigate the attack and restore operations. Officials have not disclosed whether any data was exfiltrated or if a ransom demand was made, but precautionary steps and extended service delays reflect the significant operational impact on local government systems.

88. The Vladimir Bread Factory, one of the largest bakery producers in its region of Russia, recently suffered a cyberattack that knocked out its internal digital systems, including office computers, servers and electronic document management tools. The disruption didn’t stop production itself, but it complicated order processing and deliveries, leading to temporary supply challenges for retailers and customers as the company reverted to manual processing while it works to restore systems.

99. The City of New Britain, Connecticut, was hit by a ransomware attack that disrupted internet, phone, and internal systems for more than 48 hours, forcing city officials to activate incident response protocols and work with state and federal authorities, including the FBI, to assess the impact and restore operations. Despite the disruption, emergency services and essential functions continued, and additional cybersecurity resources were brought in to investigate the incident, although it remains unclear if resident data was compromised.

90. The Tulsa International Airport in Oklahoma was reportedly hit by a Qilin ransomware attack, with the cybercriminal group posting leaked internal documents, including financial records, internal emails, and employee ID information, on its dark web leak site. It is not yet clear whether airport operations or customer data were directly affected.

91. In Slovenia, gas supplier Geoplin was hit by a ransomware attack orchestrated by Sinobi. The ransomware group demanded $8.2 million in exchange for an undisclosed amount of stolen data. The company and its owner confirmed that they had detected a cybersecurity incident and are taking the necessary measures in response. It is not clear what types of data were exfiltrated during the attack.