The week in breach news

United States

Google

Google confirmed a data breach amid a wave of continuing Salesforce CRM theft attacks. The cyber extortion group ShinyHunters (also known as UNC6040) is believed to be behind the incident. The group claimed to have exposed 2.55 million records and demanded 20 BTC (around $2.3 million) from Google before calling it a “prank.”

Analysis revealed that business names, phone numbers and sales notes were accessed during a brief window before Google cut off access. No financial data was compromised, and Google Ads, Merchant Center, Google Analytics and other ad products remained unaffected.

The incident is part of an ongoing campaign in which attackers use voice phishing to contact their target’s IT team, claiming to be from Salesforce IT support. The bad actor then tricks an employee into downloading a modified version of Salesforce’s Data Loader.

United States

The Administrative Office of the United States Courts

The Administrative Office of the U.S. Courts discovered a data breach affecting the U.S. federal judiciary’s electronic case filing system, potentially exposing sensitive court records.

The breach impacted both the Case Management/Electronic Case Files (CM/ECF) platform and the Public Access to Court Electronic Records (PACER) public access system.

According to sources familiar with the matter, bad actors accessed a variety of data, including the identities of confidential informants, records on cooperating witnesses and defendants, sealed indictment, and non-public arrest and search warrants across multiple states. Nation-state hackers are suspected to be behind the incident.

United States

Columbia University

Columbia University has disclosed a data breach affecting nearly 870,000 people, including current and former students, applicants and employees. Hackers claim to have stolen 460 GB of data.

An investigation revealed an unauthorized actor accessed the university’s network, stealing files containing names, dates of birth, Social Security numbers, contact details, demographic and academic information, financial aid data, and any insurance or health information submitted.

The breach was discovered after an IT outage prompted a forensic review. While there is no evidence the stolen data is being misused, Columbia is offering two years of free credit monitoring and identity restoration through Kroll.

United States

The City of Saint Paul, Minnesota

The City of Saint Paul, Minnesota, suffered a major cyberattack, prompting the state’s first-ever activation of its Cyber Protection Unit. The city detected the intrusion on July 25 after spotting suspicious activity on internal systems and responded by shutting down affected networks to contain the threat.

The attack disrupted multiple services, including online payments, library systems and recreation programs, though most emergency services remain unaffected. Police have temporarily switched to radio communications to maintain public safety.

Local, state and federal agencies are investigating the incident and working to restore systems. The city has not provided an estimated timeline for recovery.

European Union

Air France

Air France notified customers of a recent data breach after a fraudster gained limited access to a third-party system used by the airline. In an email to affected passengers, the carrier said some customers’ first names, frequent flyer number and tier levels were exposed. Sensitive information, such as credit card details, passport numbers, booking data and frequent flyer mile balances, was not compromised.

Hacker group ShinyHunters has claimed responsibility for the incident. Around the same time, KLM Royal Dutch Airlines also issued a similar breach notice to its customers. Cybersecurity experts believe ShinyHunters is tied to Scattered Spider, the group linked to recent breaches at WestJet, Hawaiian Airlines and Qantas.

European Union

NOVOMATIC Italia

Italian gaming conglomerate NOVOMATIC Italia has fallen victim to a ransomware attack, with cybercrime group Lynx claiming responsibility. The attack includes, but is not limited to, subsidiaries Admiral Pay, Admiral Gaming Group and Allstar. Bad actors snatched 600 GB of sensitive information, including financial documents, fiscal records, tax data and the personal data of employees and customers. No ransom demand has been made public.

Australia & New Zealand

Belmont Christian College

Belmont Christian College, a K-12 school near Lake Macquarie, New South Wales, suffered a ransomware attack by the Qilin group. The leaked data includes personal information of students and staff, immunization records, incident reports, payment histories and detailed staff information, such as their Working with Children IDs.

Qilin also obtained information about charitable contributions made to the college. In an unusual move, Qilin alleged possible theft within the school’s charitable donations, citing discrepancies in financial records. Uncharacteristically, they did not specify the total amount of data exfiltrated or issue a ransom demand.