securityweek.com
By Eduard Kovacs| January 13, 2026 (12:09 PM ET)
The law firm Fried Frank seems to be informing high-profile clients about a recent data security incident.
PMorgan Chase is informing some investors about a data breach stemming from a recent cybersecurity incident at an outside law firm. The same incident triggered a similar data breach notice from Goldman Sachs in December 2025.
The Maine Attorney General’s Office requires companies that have suffered a data breach impacting the state’s residents to submit a report and a copy of the notification letter sent to affected individuals.
JPMorgan Chase submitted such a notification to the Maine AGO on Tuesday, revealing that investors in a private equity fund have been impacted by a data breach linked to an incident at the law firm Fried, Frank, Harris, Shriver & Jacobson LLP.
The notification letters reveal that an “unauthorized third party” copied files from a Fried Frank shared network drive. Some of the files contained the personal information of individuals who invested in the JPMorgan fund.
The compromised information includes names, contact information, account numbers, SSNs, and passport or other government ID numbers.
JPMorgan told the Maine AGO that a total of 659 individuals are affected by the data breach.
The banking giant’s disclosure mirrors a similar warning issued by Goldman Sachs in late 2025.
According to Goldman’s notification to impacted investors, Fried Frank told the company that “based on the steps it has taken to date, it believes that any data exposed in the incident is unlikely to be distributed or used improperly”.
Both Wall Street titans highlighted that their own systems were not compromised.
Fried Frank is facing lawsuits over the data breach.
It’s unclear who is behind the intrusion. SecurityWeek has not seen any ransomware group taking credit for an attack on Fried Frank. If it was indeed a ransomware attack, the law firm may have paid a ransom, which would be consistent with its statement about the unlikely abuse of the data.
SecurityWeek has reached out to Fried Frank for additional information and will update this article if the company responds.
The Brussels Times
Tuesday, 13 January 2026
By
The Brussels Times with Belga
The AZ Monica hospital in Antwerp was targeted by a cyberattack on Tuesday, with a full-scale investigation now launched.
The hospital detected a serious IT system disruption around 6:30 am and, as a precaution, shut down its servers at both the Deurne and Antwerp campuses. It is not yet clear whether patient data has been compromised.
All scheduled procedures were postponed on Tuesday, impacting a minimum of 70 surgeries across both campuses. Seven patients were proactively transferred to another hospital.
The motives behind the cyberattack remain unknown. Unconfirmed reports within the hospital suggest the hackers may be demanding ransom, but neither the public prosecutor nor the hospital’s CEO has confirmed these claims.
Access to AZ Monica remains possible, and its emergency department is operational, albeit in a limited capacity.
However, MUG and PIT emergency services are temporarily unavailable. The hospital emphasised that its primary focus continues to be patient safety and care continuity.
thepinknews.com
Jan 06
Written by Sophie Perry
The website belonging to the Free Speech Union (FSU) is down after a trans activism group BASH BACK hacked it and exposed its list of donors.
The Free Speech Union's website is current unavailable (PinkNews)
The website belonging to the Free Speech Union (FSU) is down after trans activism group BASH BACK hacked it and exposed its list of alleged donors.
The group, which vandalised offices belonging to the Equality and Human Rights Commission (EHRC) in London in October, published a list of names of people who have allegedly donated to the FSU’s various campaigns.
Shortly after publication of PinkNews’ article, the BASH BACK website also went down, with a 404 error page visible instead.
The freedom of speech organisation, founded by Conservative peer and journalist Toby Young, was said – according to GB News – to be undertaking an “independent security briefing” into BASH BACK, inspired by an article in the Daily Mail which detailed future BASH BACK targets, including the offices of health secretary Wes Streeting and prime minister Keir Starmer.
At the time of that article’s publication, BASH BACK stated the information about its targets was publicly available information.
“The Free Speech Union commissioned a ‘security’ report on us,” BASH BACK wrote on BlueSky on Monday (5 January), “so we tested their security. Turns out – it sucks.”
By Monday evening the FSU’s website was unavailable and stated “maintenance mode is on” but by Tuesday morning a 404 error code appears when attempting to access it.
PinkNews will not publish any of the names listed in the hacked list, and is also unable to verify its content.
A spokesperson for BASH BACK described the FSU in a statement as an “organisation for defending bigots”.
“Instead of fighting for the free speech of pro-Palestine activists, such as the prisoners currently on hunger strike, they move heaven and earth to defend every sexist, racist, and transphobe that crosses their path,” they wrote.
“The FSU has said nothing about the police banning the use of common Arabic phrases, the abuse of activists in prison, or the censorship imposed on the public around Britain’s involvement in genocide.
“Instead, their focus is on defending those who preach hatred. The public deserves to know who is funding the FSU’s activities, and we are glad to be able to reveal it.”
They went on to state the FSU “purports to be an advocacy group for freedom of expression” but instead “represent a security fund for attention-seeking reactionaries backed by the ultra-wealthy”.
“They use their funders’ deep pockets to repress ordinary people and impose a two-tier justice system where wealthy transphobes and racists can preach hate whilst those who oppose genocide are imprisoned and abused, or otherwise subject to police violence,” the spokesperson continued.
“In a time where free speech is under attack, not by ‘wokism’ or minorities, but by an increasingly authoritarian state, the so-called ‘Free Speech Union’ sets its sights instead on protecting powerful bigots from the consequences of their public tantrums.”
9to5mac.com
Arin Waichulis
| Jan 9 2026 - 7:19 am PT
Mosyle, a popular Apple device management and security firm, has exclusively shared details with 9to5Mac on a previously unknown macOS malware campaign. While crypto miners on macOS aren’t anything new, the discovery appears to be the first Mac malware sample uncovered in the wild that contains code from generative AI models—officially confirming what was inevitable.
At the time of discovery, Mosyle’s security research team says the threat was undetected by all major antivirus engines. This comes nearly a year after Moonlock Lab warned about chatter on dark web forums indicating how large language models were being used to write malware targeting macOS.
The campaign, which Mosyle is calling SimpleStealth, is spreading through a convincing fake website impersonating the popular AI app, Grok. The threat actors are using a look-alike domain to trick users into downloading a malicious macOS installer. When launched, victims are presented with what appears to be a full-functioning Grok app that looks and behaves like the real thing. This is a common technique used to keep the application front and center while malicious activity quietly runs in the background, allowing the malware to operate longer without being noticed.
According to Mosyle, SimpleStealth is designed to bypass macOS security safeguards during its first execution. The app prompts the user for their system password under the guise of completing a simple setup task. This allows the malware to remove Apple’s quarantine protections and prepare its true payload. From the user’s perspective, everything appears normal as the app continues to display familiar AI-related content that the real Grok app would.
Behind the scenes, however, the malware deploys the stealthy Monero (XMR) crypto miner that boasts having “quicker payouts” and being “confidential and untraceable” on its website. To stay hidden, the mining activity only starts when the Mac has been idle for at least a minute and stops immediately when the user moves the mouse or types. The miner further disguises itself by mimicking common system processes like kernel_task and launchd, making it far harder for users to spot abnormal behavior.
In evidence seen by 9to5Mac, the use of AI is found throughout the malware’s code, which features unusually long-winded comments, a mix of English and Brazilian Portuguese, and repetitive logic patterns that are characteristic of AI-generated scripts.
Overall, this situation is alarming for several reasons. Primarily because AI is lowering the barrier to entry for attackers faster than concerns around ‘malware-as-a-service’ could ever. Virtually anyone with internet access can now craft samples like SimpleStealth, significantly accelerating the pace at which new threats can be created and deployed.
The best way to stay safe is to avoid downloading anything from third-party sites. Always source your apps directly from the Mac App Store or directly from developer websites you trust.
Indicators of Compromise
Below you can find the Indictors of Compromise (IoCs) of the SimpleStealth sample for your own research or to improve detection at your organization. Exercise caution around visiting any observed domains.
Malware family: SimpleStealth
Distribution name: Grok.dmg
Target platform: macOS
Observed domain: xaillc[.]com
therecord.media
Jonathan Greig
January 2nd, 2026
The claims administration company Sedgwick confirmed that a subsidiary that contracts with a handful of sensitive federal agencies is dealing with a cybersecurity incident.
Claims administration company Sedgwick confirmed that its government-focused subsidiary is dealing with a cybersecurity incident.
On New Year’s Eve, the TridentLocker ransomware gang claimed it attacked Sedgwick Government Solutions and stole 3.4 gigabytes of data.
A Sedgwick spokesperson confirmed the company is currently addressing a security incident at the subsidiary, which provides claims and risk management services to federal agencies like the Department of Homeland Security (DHS), Immigration and Customs Enforcement, Customs and Border Protection, Citizenship and Immigration Services, the Department of Labor, and the Cybersecurity and Infrastructure Security Agency (CISA).
“Following the detection of the incident, we initiated our incident response protocols and engaged external cybersecurity experts through outside counsel to assist with our investigation of the affected isolated file transfer system,” the spokesperson said.
“Importantly, Sedgwick Government Solutions is segmented from the rest of our business, and no wider Sedgwick systems or data were affected. Further, there is no evidence of access to claims management servers nor any impact on Sedgwick Government Solutions ability to continue serving its clients.”
The company has notified law enforcement and is in contact with its customers about the incident.
CISA and DHS did not respond to requests for comment. The company also provides services to municipal agencies in all 50 states as well as the Smithsonian Institution and the Port Authority of New York and New Jersey.
TridentLocker is a new ransomware gang that emerged in November, cybersecurity experts said. The group previously took credit for an attack on the Belgian postal and package delivery service bpost, which confirmed that it recently suffered from a data breach.
The group has listed a total of 12 victims on its leak site since its emergence.
Ransomware gangs have repeatedly targeted federal government contractors like Sedgwick. More than 10 million people had information leaked after the prominent government contractor Conduent was attacked one year ago.
