The week in breach news

North America

Microsoft Teams users

Microsoft’s Detection and Response Team revealed a Microsoft Teams voice phishing (vishing) campaign that targets Microsoft users.

In this campaign, threat actors impersonate IT support and trick users into granting remote access via Microsoft’s Quick Assist, enabling initial device compromise. Once access is established, attackers shift from social engineering to hands-on keyboard compromise. They then direct users to malicious websites that prompt them to enter corporate credentials into spoofed forms, triggering the download of multiple malicious payloads.

This incident highlights a growing class of attacks that exploit user trust, collaboration platforms and legitimate built-in tools to gain access and move laterally within environments.

United States

Foster City

Foster City, California, declared a state of emergency after a ransomware incident disrupted city services for more than a week.

On March 20, city officials confirmed that most computer systems were taken offline after detecting suspicious activity on the network the previous day. The disruption significantly impacted city operations, with most public services, except emergency response, temporarily shut down. Officials also noted concerns that public information may have been accessed, though this has not been confirmed.

City officials said they activated response protocols and are working with independent cybersecurity experts to investigate and restore systems. While details remain limited, residents and those who do business with the city have been advised to change their passwords as a precaution.

North America

Cisco firewall vulnerability

A vulnerability patched earlier this month by Cisco in its firewalls has been exploited as a zero-day since at least late January, according to Amazon’s threat intelligence team.

The flaw, tracked as CVE-2026-20131, is a remotely exploitable deserialization vulnerability in Cisco Secure Firewall Management Center (FMC) software and carries a maximum CVSS score of 10. While Cisco released a patch on March 4, a report indicates that the Interlock cybercrime group had been exploiting it as a zero-day since at least January 26, pointing to a critical patching gap.

Cisco updated its advisory on March 18 to inform customers about this in-the-wild exploitation.

United States

Navia Benefit Solutions

Navia Benefit Solutions, a Washington-based employee benefits administration provider, revealed a data breach that may have exposed information of nearly 2.7 million current and former participants and their dependents.

Navia works with employers to manage tax-advantaged health care and dependent care accounts, serving 10,000 clients and more than 1 million participants nationwide. The intrusion was identified around January 15 and an investigation found that attackers had access to its network for about three weeks between December 2025 and January 2026. According to a breach notice filed with the Maine attorney general, 2,697,540 individuals were affected. Compromised data includes names, email addresses, phone numbers and Social Security numbers.

United States

Trinity Health

Trinity Health, a not-for-profit Michigan-based Catholic health system operating more than 92 hospitals across 22 U.S. states, has disclosed a data breach involving protected health information (PHI).

Trinity Health participates in automated electronic data exchanges with Health Information Exchanges (HIE) to enable seamless access to patient data across providers. On January 13, the organization was notified by its HIE partner, Health Gorilla, of potential unauthorized access to patient information. The exposed data may include clinical care details, demographic information, insurance records and, in some cases, driver’s license numbers.