Top news stories this week
- Snap, crackle and Cl0p. Sensitive data exposed in WK Kellogg and Europcar data breaches.
- Is it a breach, is it a plane. Oracle confirms data breach in mixed messaging.
- Lights, Scam, Action! Finance director in Singapore duped by deepfake scammers.
- Operation Endgame. Europol arrests further suspects following 2024 takedown of malware database.
- Hidden in plain sight. Hackers spent over a year inside Treasury regulator’s email system.
- Patch panic. Google, Microsoft, and CISA respond to active exploits in Android, Windows, and Ivanti.
1. Sensitive data exposed in WK Kellogg and Europcar data breaches
Ransomware gang Cl0p claimed responsibility for stealing sensitive employee data from the American food manufacturing giant WK Kellogg Co. They exploited a zero-day vulnerability in Cleo software, which was used by WK Kellogg for hosting and transferring employee files to human resources service providers.
Separately, the multinational car rental company Europcar Mobility Group suffered a data breach when a threat actor gained access to all their GitLab repositories, including SQL backup files and configuration files that contained sensitive information.
So what?
Organisations should work closely with their third parties to ensure that any security gaps are identified and remediated to a level that aligns with their risk tolerance and security policies.
[Researcher: Milda Petraityte]
2. Oracle informs clients of a second breach
Following initial denials of a data breach last month, Oracle has now notified customers that a cyber criminal stole hashed credentials from a legacy environment. Oracle maintains that the compromised data originated from systems that have been inactive since 2017, yet customers have reported exposed records include data from 2025.
So what?
Organisations should have clear and consistent messaging when disclosing the impacts of breaches, consulting legal counsel and PR firms for guidance.
[Researcher: Denisa Greconic]
3. Finance director in Singapore duped by deepfake scammers
The finance director of a multinational corporation in Singapore narrowly avoided losing over USD 499,000 in an impersonation scam involving deepfake image generation technology. Fraudsters impersonated the CEO and CFO, successfully prompting the transfer of funds to an account controlled by them. Fortunately, the Singapore and Hong Kong Police Forces successfully traced and withheld the funds.
So what?
This event calls attention to the increasing sophistication of deepfake technology in financial scams and underpins the necessity for businesses to implement stringent verification protocols.
[Researcher: Nor Liana Kamaruzzaman]
4. Operation Endgame - more arrests on suspicion of using Smokeloader bots
Europol has reported additional arrests of suspects connected to the pay-per-install botnet Smokeloader. Users of the bot malware employed it for various malicious activities, including keylogging, webcam surveillance, ransomware deployment, crypto mining, and more.
SO WHAT?
Shutting down malicious developers and infrastructures disrupts the ransomware landscape. For more information related to law enforcement takedowns and the implications for the cyber crime landscape read our article here.
[Researcher: Lena Krummeich]
5. Cyber criminals spent over a year inside treasury regulator’s email system
Threat actors accessed the U.S. Treasury’s Office of the Comptroller of the Currency (OCC) in June 2023 by compromising a system administrator account, which allowed them to monitor over 150,000 internal emails. The breach affected communications for more than 100 bank regulators and went undetected until February 2025. It was later reported to Congress as a major information security incident, with potential exposure of. sensitive information related to financial oversight and examination processes.
So What?
Organisations should review security controls for privileged accounts and implement continuous monitoring to swiftly detect suspicious activity.
[Researcher: Lori Murphy]
6. Google, Microsoft, and CISA respond to active exploits in Android, Windows, and Ivanti
M.Google and Microsoft released critical security updates addressing multiple actively exploited vulnerabilities, including two Android zero-days and a Windows CLFS zero-day that has been exploited by threat actors including the group Storm-2460.
Meanwhile, CISA added a critical Ivanti Connect Secure vulnerability to its known exploited vulnerabilities catalogue, urging users in both the public and private sectors to patch the vulnerability as quickly as possible.
SO WHAT?
Organisations should promptly patch active exploits to prevent threat actors from targeting vulnerabilities in widely used platforms.
[Researcher: Clay Palmer]
