#data-breach

#data-breach

Their demand lands amid fierce criticism of the regulator's decision not to formally investigate the Ministry of Defence over what has been described as the most serious data breach in British history: the leaking of a spreadsheet revealing the identities and locations of more than 19,000 Afghans fleeing the Taliban. Information Commissioner John Edwards defended his stance at a DSIT-hosted hearing last month, insisting the incident was a "one-off" error rather than evidence of systemic non-compliance inside the MoD.

Thalha Jubair 19, from East London, and Owen Flowers, 18, from Walsall in the West Midlands spoke only to confirm their names and enter pleas at the brief hearing. They are both charged with conspiring to commit unauthorised acts against Transport for London (TfL) under the Computer Misuse Act. In addition, Mr Flowers is accused of attempting to hack computer systems belonging to California-based Sutter Health and another US company, SSM Healthcare Corporation. Mr Jubair has also been charged with failing to provide passwords for his devices.

Privacy watchdogs in Ontario and Alberta issued their findings Tuesday after investigating a mass data breach of a student information system used across Canada, concluding that school boards lacked adequate breach response plans, among other issues. Ontario's privacy commissioner says PowerSchool, a software and storage company for school systems in the U.S. and Canada, was a victim of a cyberattack and ransom threat in December 2024 that compromised the data of current and former students, parents and staff.

The researcher, Jonathan Clark, says he knows this for a fact because he reported the attack to Coinbase on January 7 after the criminals tried to scam him. According to Clark, Coinbase's Head of Trust and Safety Brett Farmer responded to his "comprehensive security report" the same day he emailed it to the company's security@ address. In a blog about the incident, Clark says Farmer replied: "This report is super robust and gives us a lot to look into. We are investigating this scammer now."

A person claiming to be one of the University of Pennsylvania hackers says that about "1.2 million lines of data" will be kept private for the group to sell before it is made public. The group also plans to make other documents public. In comments to The Verge, the hacker or hackers distanced themselves from earlier hacks of other private universities including Columbia - which were aimed at demonstrating colleges had maintained unlawful pro-diversity policies.

Today's reminder of the insider threat comes to us from the National Health Service in the U.K. Craig Meighan and Billy Gaddi report: A woman has been charged after Scots patients had their private medical records accessed during an NHS data breach. Reports suggest around 100 patients in NHS Lothian could have had their records accessed as a result of the incident. The health board said it discovered patients in the region may have had their information "inappropriately accessed" during routine monitoring.

On 9 October 2025 the Federal Court of Australia (the Court) imposed an AU$5.8 million civil penalty on Australian Clinical Labs Limited, one of Australia's largest private hospital pathology service providers (the Company), for systemic failures that led to the unauthorised access to and exfiltration of the sensitive personal information of more than 223,000 individuals.

While scanning for unsecured databases at the end of September, an ethical security researcher stumbled upon the exposed cache of data and discovered that it was part of a site called DomeWatch. The service is run by the House Democrats and includes videostreams of House floor sessions, calendars of congressional events, and updates on House votes. It also includes a job board and résumé bank.

An unencrypted, non-password-protected database was discovered by Cybersecurity Researcher Jeremiah Fowler. This database contained files from an email marketing platform and held approximately 40 billion records (13 TB). The records appeared to belong to Netcore Cloud Pvt. Ltd (Netcore), an India-based company providing marketing services. Fowler sent a message to Netcore to inform them of the exposure, and the database was restricted the same day.

"Finding a 4TB SQL backup exposed to the public internet is like finding the master blueprint and the physical keys to a vault, just sitting there," it said. "With a note that says 'free to a good home.' [The lead researcher had] investigated breaches that started with less. Way less. He once traced an entire ransomware incident back to a single web.config file that leaked a connection string. That was 8 kilobytes. This was four terabytes.

on the unindexed internet.

A spokesperson for Apple told Business Insider that both apps were removed for not meeting "requirements around content moderation and user privacy, in addition to receiving an excessive number of user complaints and negative reviews - including complaints of minors' personal information being posted in the apps." The spokesperson added that for Apple, the general approach after discovering a violation is to communicate with the app developer to bring the platform up to standard.

Anti-fraud nonprofit Cifas was left red-faced after sending out a calendar invite that exposed the email addresses of dozens of individuals working across the fraud space. The invite was sent in August to a session scheduled for October 16 about the organization's JustMe app, which allows individuals to confirm if applications made in their name are genuine. Over a dozen addresses were exposed in the To field, with another 45 in the CC field, according to the message.

On October 16 and 17, the ScatteredLAPSUS$Hunters Telegram channel repeatedly violated Telegram's TOS by leaking personal information on people - and in this case, information on employees of the Department of Justice (DOJ/FBI), U.S. Attorneys Office (DOJ/USAO), the Department of Homeland Security (DHS), and the Federal Aviation Authority (FAA). DataBreaches did not report on it at the time precisely because the files were still exposed. Instead, DataBreaches contacted Telegram to inquire why the channel hadn't been banned again for leaking sensitive information about government employees.

More than 17 million individuals were likely impacted by a data breach at peer-to-peer lending marketplace Prosper, data breach notification service Have I Been Pwned warns.Prosper disclosed the incident last month, noting that hackers accessed its network and stole confidential, proprietary, and personal information from its systems. According to the US-based company, the attackers queried its database containing customer information and applicant data to exfiltrate the information, but did not access user accounts.

In August, the New York State Department of Financial Services reached agreement with Healthplex, Inc., a licensed insurance agent and independent adjuster, to pay a $2 million civil penalty after a hacker executed a phishing attack on an employee's email and gained access to the private health data and sensitive nonpublic information of tens of thousands of Healthplex consumers. Eight years in the making, the final phase of New York's groundbreaking Cybersecurity Regulation Part 500 takes effect Nov. 1.

If you're a current or former AT&T customer, the deadline to file a claim to be part of the $177 million class-action settlement over two major data breaches has been extended. The breaches -- one dating back to 2019 and a second in 2024 -- exposed Social Security numbers, call and text records, names, addresses, dates of birth, and more.