The week in breach news

North America

South Lyon Community School District

Cybercriminals continue to target educational institutions in the U.S. at an alarming pace. The latest victim, South Lyon Community School District, was forced to shut down schools following a ransomware attack.

Discovered on September 14, the attack was confirmed to be the result of a ransomware infection carried out by a well-known group, although officials have not released the name yet. While there is no evidence that student or faculty data was compromised, the attack crippled phone systems and several ancillary sub-systems, including those relied on during emergencies, such as active shooter responses.

This attack is one of many disrupting schools nationwide. Alarmingly, according to the nonprofit Center for Internet Security (CIS), 82% of K-12 schools experienced a cyber incident between July 2023 and December 2024.

United Kingdom

Harrods

Luxury London department store Harrods disclosed that 430,000 customers’ personal data has been compromised in a data breach. In an email sent to customers on September 26, the company warned that personal data may have been stolen after one of its third-party provider systems was compromised.

Harrods said the impact was “limited” to basic information, including names, contact details and marketing preferences. The company emphasized that account passwords and payment details were not affected. While the attackers attempted to contact the company, Harrods refused to engage or negotiate with the hacker group.

The company added that this was an “isolated incident” and not connected to a separate incident in May, when it restricted internet access across its sites following an attempt to gain unauthorized access. Still, this marks yet another attack in a wave of cyber incidents that have recently targeted high-profile British businesses.

North America

An unnamed FCEB agency

The Cybersecurity and Infrastructure Security Agency (CISA) disclosed last week that threat actors breached an unnamed federal civilian executive branch (FCEB) agency last year by exploiting a critical vulnerability in its open-source GeoServer mapping server.

While the attack occurred on one of the agency’s servers on July 9, 2024, the agency’s endpoint detection and response (EDR) tool did not alert its security operations center (SOC) until three weeks later. During that time, threat actors used brute force techniques to steal passwords, escalate privileges and move laterally to compromise two additional servers.

The critical vulnerability, which allows remote code execution (RCE), was disclosed on June 30, 2024, with a CVSS score of 9.8. This attack happened within just two weeks of that disclosure. In the wake of the breach, CISA urged security operations teams across organizations to closely monitor EDR alerts for suspicious activity and to strengthen incident response plans to contain breaches faster.

North America

Cisco

Cybersecurity agencies worldwide, including CISA and the U.K. National Cybersecurity Center (NCSC), warned of an “advanced threat actor” actively targeting devices running Cisco’s Adaptive Security Appliances (ASA) firewall software.

According to the agencies, the “widespread” campaign exploits zero-day vulnerabilities in Cisco devices, allowing attackers to run malicious code and deploy malware. Impacted equipment includes certain Cisco ASA 5500-X Series devices, which act as firewalls protecting corporate networks from intrusions.

In a statement, Cisco analysts said they have “high confidence” the campaign is tied to ArcaneDoor — a state-sponsored threat actor the vendor first identified in 2024. In an emergency directive issued last Thursday, CISA ordered government cyber teams to locate all affected devices within just over one day, scan them for malicious activity and apply the security updates designed to patch the vulnerabilities.

North America

Volvo North America

Volvo North America has disclosed a data breach involving the personal information of its employees after a ransomware attack hit its third-party supplier, Miljödata.

The ransomware attack, which occurred on August 20, impacted at least 25 organizations, including Volvo North America, Scandinavian airline SAS and more than 200 Swedish municipalities. The attack targeted systems used for medical certificates, rehabilitation records and workplace injury management. Exposed data included employee names, Social Security numbers, email addresses, physical addresses, phone numbers, government IDs, dates of birth and gender.

A ransomware group called DataCarry has claimed responsibility for the Miljödata attack and has already allegedly published the stolen data on its Tor leak site.

South America

Maida.health

In yet another third-party data breach, Brazilian health technology company Maida.health reportedly exposed more than 2TB of sensitive data tied to the nation’s military police.

The company, which manages billing, insurance claims and teleconsultation software for healthcare providers, including the Brazilian military police, is said to have suffered a breach compromising 2.3TB of data. The exposed information reportedly includes medical diagnostics, ID numbers and personal details of military police personnel, raising major concerns about the security of the country’s defense-related information. Even more alarming, the stolen data has been advertised for sale on an underground forum.