The week in breach news

Europe

Volkswagen

Volkswagen, one of the world’s largest automakers, has reportedly been hit by the ransomware group 8Base.

The group publicly claimed in September 2024 that it had breached Volkswagen’s systems. Known for deploying Phobos ransomware and using double-extortion tactics, 8Base claimed to have exfiltrated confidential files on September 23, 2024, threatening to leak them by September 26. Although no data appeared immediately after the deadline, the group later listed the allegedly stolen information on its dark web site, including invoices, accounting records, employee files, contracts, certificates and multiple confidentiality agreements.

While Volkswagen maintains that its core IT infrastructure remains unaffected, the limited response has raised questions about the full scope of the incident and whether a third-party system may have been compromised.

Australia & New Zealand

Vocus

Vocus, Australia’s fourth-largest telco, announced that 1,600 home internet and mobile customers were affected by a hack targeting its business email and mobile services.

On October 17, the company — which owns Dodo and iPrimus — detected suspicious activity in its email system. An investigation revealed unauthorized access to approximately 1,600 email accounts, resulting in SIM swaps on 34 Dodo Mobile accounts. In response, Vocus temporarily suspended certain services to contain the issue and begin recovery efforts.

Vocus said it continues to monitor the situation closely and has worked with affected customers to reverse the SIM swaps and restore their services.

North America

Sotheby’s

Sotheby’s, the New York City-based luxury auction house, disclosed a July cyberattack in a data breach notification filed with the Maine Attorney General’s Office (AGO).

The luxury auctioneer stated it discovered the breach in September. During the investigation, Sotheby’s determined that the attacker had accessed files containing personal data, including names, Social Security numbers and financial account details. The firm has not yet confirmed how many individuals were affected by the incident.

Europe

Mango

Mango, the Spain-based fashion retailer, has notified customers about a data breach involving one of its third-party marketing providers.

On October 14, the company stated that hackers gained access to personal customer data during a third-party data breach. Exposed information includes first names, country, postal code, email addresses and phone numbers. Mango clarified that no sensitive financial or identification data — such as credit card numbers, banking details or login credentials — was compromised in the attack.

The breach originated from a third-party marketing service provider in Spain that managed customer data for promotional purposes. This incident adds to a growing list of cyberattacks targeting Spanish retailers. Earlier this year, El Corte Inglés and Tendam also suffered similar breaches.

United Kingdom

Capita

The UK’s Information Commissioner’s Office (ICO) has fined outsourcing giant Capita £14 million after the personal data of 6.6 million people was stolen in a cyberattack.

While the breach occurred in March 2023, it was later revealed that Capita had also left a repository of files unsecured online, exposing customer data belonging to more than 90 organizations. The ICO said Capita “failed to ensure the security of processing of personal data,” leaving it at significant risk. The initial £45 million fine was reduced after discussions between Capita and the regulator.