The week in breach news

United States

The Centers for Medicare and Medicaid Services

The Centers for Medicare and Medicaid Services (CMS) is alerting approximately 103,000 Medicare beneficiaries about a data breach involving unauthorized access to Medicare.gov accounts.

CMS revealed suspicious activity tied to the fraudulent creation of online accounts was detected. An investigation revealed that from 2023 to 2025, bad actors created accounts using valid beneficiary data, including names, birthdates and Medicare IDs.

Once the accounts were active, they may have accessed sensitive information, such as provider details, diagnoses and premium data. CMS has deactivated affected accounts and is notifying impacted individuals by mail.

United States

Surmodics

Medical device and testing product manufacturer Surmodics is still recovering from a cyberattack discovered on June 5, 2025.

Despite the disruption, Minnesota-based Surmodics maintained operations by using alternative systems, allowing customer orders and shipments to continue without interruption. The company said there is no evidence that any stolen data, including third-party data, was leaked or misused.

Containment and recovery efforts are ongoing as Surmodics continues to assess the scope of the compromised data.

Australia

Qantas

Air carrier Qantas confirmed a major data breach affecting up to 6 million customers. Attackers targeted an offshore IT call center, enabling them to access a third-party system.

The breach exposed names, email addresses, phone numbers, birthdates and frequent flyer numbers. No financial data, passports, passwords or login credentials were compromised, the airline said.

The attack is linked to the threat group Scattered Spider, which recently hit WestJet and Hawaiian Airlines.

Europe

Deutsche Welthungerhilfe (WHH)

Deutsche Welthungerhilfe (WHH), a German aid organization that feeds millions in crisis zones, has fallen victim to a ransomware attack. The cybercriminals claim to have stolen sensitive data and are demanding a ransom of 20 bitcoins (roughly $2.1 million). WHH said affected systems were shut down immediately and the relevant authorities  were notified. WHH also stated it will not pay the ransom.

Despite the breach, the charity confirmed its humanitarian operations remain unaffected. WHH served 4 million people directly in 2024, and the organization is currently delivering aid in Gaza, Ukraine and Sudan.

Europe

LVMH

LVMH confirmed a successful cyberattack on its Louis Vuitton Korea arm. The conglomerate said an attack on June 8 resulted in a leak of some customer information, including contact details. The company stated that no financial data, such as credit card or bank account information, was compromised, and the breach has since been contained.

This marks the second cyber incident in recent months targeting LVMH, the world’s largest luxury group. Luxury brands Christian Dior Couture, Tiffany and Cartier have also been hacked in recent weeks.

United States

Ingram Micro

Global IT distributor Ingram Micro suffered a major ransomware attack on July 3, forcing shutdowns of key platforms, Xvantage and Impulse, across Europe, the U.S. and Asia. The SafePay ransomware group claimed responsibility, stating that it gained access to Ingram Micro’s network through compromised VPN credentials and exploited misconfigured systems.

The breach has disrupted operations for resellers, MSPs and enterprise clients, with some Fortune 500 companies shifting procurement to competitors. News reports cite poor communication from Ingram in the aftermath of the attack as a cause for client dissatisfaction. The ripple effects of delayed fulfilment may impact hardware installers, MSPs and cloud resellers. Analysts estimate Ingram could lose up to $136 million in daily revenue as the outage continues, raising serious concerns about supply chain resilience and data security.

South America

C&M Software

On June 30, 2025, C&M Software, a service provider to Brazil’s Central Bank and six other banks, was hit by hackers, resulting in the theft of approximately $140 million. The incident prompted the Central Bank to immediately suspend C&M Software’s platform access. Upon beginning an investigation, bank officials and law enforcement quickly determined that this was not a random attack.

On Friday, July 4, São Paulo’s TV Globo reported that João Nazareno Roque, an employee of C&M Software, had been arrested in connection with the theft.  An IT professional focused on backend systems at C&M Software, Roque is alleged to have sold his login credentials to cybercriminals for an estimated $2,700, providing them access to sensitive critical systems. According to police, Roque created the mechanism for the hackers to divert funds and attempted to fly under the radar by frequently changing cell phones.