The week in breach news

October 15, 2025

This week: SonicWall’s cloud backup breach widens, hackers hijack university HR systems and personal data of 5.7 million Qantas customers exposed.s customers exposed.

North America

SonicWall

Industry: Technology Exploit: Hacking

SonicWall’s disclosure last month of a data breach on its cloud backup service appears to be far more serious than initially believed.

On October 8, following a full investigation conducted with Google’s Mandiant, SonicWall announced that an unauthorized party accessed firewall configuration backup files for all customers who have used SonicWall’s cloud backup service. This is a significant escalation from the company’s earlier assessment on September 17, when it believed only 5% of its firewall install base was affected. Meanwhile, SonicWall reaffirmed that the exposed files contain encrypted credentials and configuration data.

The company urges all customers to log in and review their devices immediately. It has also started notifying partners and users directly and released tools to help assess and remediate affected systems.

Source

How it could affect your business

All customers with SonicWall Firewalls that have preference files backed up in MySonicWall.com are considered affected. To contain potential risks, it’s critical to follow SonicWall’s published guidance immediately.

North America

U.S. universities

Industry: Education Exploit: Business Email Compromise

Microsoft has warned that hackers are breaking into human resources SaaS platforms like Workday to target employees at U.S. universities and divert their salaries to attacker-controlled accounts.

Dubbed “payroll pirate,” Microsoft Threat Intelligence observed a financially motivated scam by a threat actor called Storm-2657, compromising university employee accounts to access HR profiles and redirect payments. Since March 2025, the group has used social engineering tactics and the lack of multifactor authentication (MFA) to break into 11 email accounts across three universities. From there, they sent nearly 6,000 phishing emails to 25 universities, using lures such as campus illness alerts and faculty misconduct reports to steal login credentials through adversary-in-the-middle (AiTM) attacks.

Microsoft said this is yet another variation of the business email compromise (BEC) scam. The attacks don’t exploit flaws in HR platforms themselves but rather take advantage of poor MFA adoption and weak authentication practices.

Source

How it could affect your business

Strong authentication and user awareness are your best defense. Enforcing MFA across all accounts and educating employees to recognize phishing attempts can stop attackers from hijacking credentials and exploiting trusted systems.

Australia & New Zealand

Qantas

Industry: Aerospace & Defense Exploit: Third-Party Data Breach

On October 12, 2025, Qantas Airways confirmed that hackers had released the personal data of more than 5.7 million customers on the dark web.

Qantas is among many global companies — including Toyota, Disney, Ikea, Air France and KLM — targeted by the hacker collective Scattered Lapsus$ Hunters. The group reportedly stole nearly 1 billion records in July by targeting customers of cloud technology giant. While the hackers did not breach Salesforce itself, they instead impersonated legitimate Salesforce employees in calls to IT helpdesks of the affected companies to gain access. In Qantas’ case, a call center in the Philippines was reportedly exploited to obtain access.

The exposed passenger data includes dates of birth, phone numbers, addresses, emails and frequent flyer numbers. Qantas confirmed that no credit card, financial or passport details were compromised and that frequent flyer accounts remain secure.

Source

How it could affect your business

Social engineering remains one of the most effective tactics for cybercriminals. Training helpdesk and support staff to verify every request and recognize impersonation attempts is critical to preventing unauthorized access and protecting sensitive customer data.

North America

Velociraptor DFIR tool

Industry: Technology Exploit: Ransomware & Malware

In a troubling new development, threat actors are abusing a digital forensics and incident response (DFIR) tool to carry out ransomware attacks.

Velociraptor is an open-source DFIR platform used by security teams to monitor endpoints across Windows, Linux and macOS environments. It allows for continuous data collection and rapid response to security events. According to researchers at Cisco Talos, in an attack observed in mid-August 2025, the attackers used the tool to drop ransomware families Warlock, LockBit and Babuk. During the attack, attackers exploited on-premises SharePoint vulnerabilities, known as ToolShell, to gain initial access and deploy an outdated version of Velociraptor (version 0.73.4.0). This version contained a privilege escalation flaw (CVE-2025-6264) that allowed arbitrary command execution and full endpoint compromise.

Researchers say this marks yet another example of how ransomware groups are expanding their arsenals by turning legitimate tools — both commercial and open source — into weapons for more sophisticated attacks.

Source

How it could affect your business

Threat actors are leveraging legitimate tools in multiple ways to launch and scale ransomware attacks. To limit damage and speed up recovery, you need to build true ransomware resilience with immutable backups, rapid detection and response, least-privilege controls and regular tabletop exercises.

North America

Shuffle

Industry: Finance Exploit: Third-Party Data Breach

Shuffle, a leading crypto betting platform, has confirmed a data breach after its third-party customer service provider was compromised, exposing the data of most of its users.

On October 10, Shuffle announced that its customer relationship management (CRM) service provider, Fast Track, suffered a data breach that exposed user information. The company used Fast Track for programmatic email sending and other user communications, which means email addresses and messages were believed to be among the compromised data. Shuffle said its specialists are investigating how the leak occurred and where the stolen data may have ended up.

The exposed information includes full names, email addresses, home addresses, phone numbers and complete transaction histories. The breach also revealed betting patterns and customer support message logs, raising concerns about user privacy and potential misuse of sensitive behavioral data.

Source

How it could affect your business

Even if a breach only exposes emails or customer-support messages, attackers can weaponize that data for phishing and social engineering campaigns. In the case of crypto platforms, the stakes are even higher — cryptocurrency transactions are irreversible, so one successful scam could lead to a permanent loss of funds.

Like what you're reading?

Subscribe now to get security news and information in your inbox every week

Upcoming webinars & events

Join our upcoming webinars and events to explore the network vulnerabilities that threat actors often exploit and to learn from top security and compliance experts.

The Repeat Offenders: Top Pentest Findings Attackers Love

October 23, 2025 11:00 AM EDT

Discover insights from over 50,000 pentests across 20,000 organizations. Learn which recurring weaknesses attackers exploit most, from spoofing and outdated systems to privilege escalation.

Register Now

Kaseya Summit : Security & Compliance ∷ Philadelphia

November 13, 2025 12:00 PM EDT

Join Kaseya experts and top industry leaders at the W Hotel Philadelphia for a full-day event exploring how security and compliance are reshaping IT and what it means for MSPs and SMBs aiming to stay ahead.

Register Now