www.politico.com
Katherine Tully-McManus
11/10/2025, 2:01pm ET

Library of Congress employees were informed to take caution when emailing the office of the congressional scorekeeper.
A cybersecurity breach discovered last week affecting the Congressional Budget Office is now considered “ongoing,” threatening both incoming and outgoing correspondence around Congress’ nonpartisan scorekeeper.

Employees at the Library of Congress were warned in a Monday email, obtained by POLITICO, that the CBO cybersecurity incident is “affecting its email communications” and that library staff should take a range of measures to protect themselves.

Library of Congress workers also were told to restrict their communication with the nonpartisan agency tasked with providing economic and budgetary information to lawmakers.

“Do NOT click on any links in emails from CBO. Do NOT share sensitive information with CBO colleagues over email, Microsoft Teams, or Zoom at this time,” the email reads.

“Maintain a high level of vigilance and verify the legitimacy of CBO communications by confirming with the sender via telephone that they sent the message,” the note continues.

Congressional staff are in regular communication with CBO regarding scores of legislation and cost estimates the agency prepares for bills in both the House and Senate.

There was no immediate information Monday about the broader implications that a legislative branch office was continuing to experience cybersecurity vulnerabilities.

A CBO spokesperson said last week that officials had taken “immediate action to contain” the breach as officials investigate the incident.

When asked for comment Monday about ongoing issues, the CBO spokesperson referred to the prior statement.

forbes.com
By Lars Daniel
Nov 10, 2025

Hyundai is alerting millions of customers about a data breach that exposed Social Security numbers and driver's licenses.

Hyundai is alerting millions of customers about a data breach that exposed Social Security numbers and driver's licenses. The breach, which occurred in February but is only now being disclosed, represents the automotive giant's third major security incident in as many years.

How the Breach Happened
Think of Hyundai AutoEver America, or HAEA, as the digital nervous system for Hyundai, Kia and Genesis operations in North America. This California-based company manages everything from the software that enables remote car features to the computer systems dealerships use to process your purchase.

Between February 22 and March 2 of this year, hackers broke into these systems and roamed freely for nine days before being detected. That’s like a burglar having unsupervised access to a bank vault for over a week. Plenty of time to identify and steal important data.

The company discovered the intrusion on March 1st and says it immediately kicked the attackers out and brought in cybersecurity forensics teams. But the investigation took months, and notification letters are now being sent out to those confirmed to be affected: more than seven months after the attack ended.

What Information Was Stolen
The exposed data includes:

• Full name
• Social Security number
• Driver's license information

Hyundai AutoEver hasn’t said exactly how many people were affected, but regulatory filings show the breach reached multiple states. The upper limit is potentially massive: HAEA’s systems connect to 2.7 million vehicles across North America.

To put that in perspective, that’s roughly the entire population of Chicago potentially at risk. However, only individuals confirmed to be affected will receive notification letters.

This Keeps Happening to Hyundai
This isn’t Hyundai's first rodeo with hackers.

In early 2024, the Black Basta ransomware gang hit Hyundai Motor Europe, claiming to steal 3 terabytes of data, equivalent to about 750,000 digital photos or five hundred hours of high-definition video. That attack exposed everything from HR records to legal documents across multiple departments.

Before that, in 2023, breaches at Hyundai's Italian and French operations leaked customer email addresses, home addresses, and vehicle identification numbers.

Security researchers have also found serious vulnerabilities in Hyundai and Kia’s smartphone apps that could let hackers remotely control vehicles.

The Modern Car Is a Computer on Wheels
Here's what makes automotive breaches particularly concerning: Your car isn't just transportation anymore. It's a rolling data center.

Modern vehicles collect and transmit information constantly:

Where you drive and when
Your home and work addresses
How fast you accelerate and brake
When you service your vehicle
Your purchase and financing details
When hackers breach the IT provider managing this digital ecosystem, they don’t just get your Social Security number. They potentially access a comprehensive profile of your life and habits. It’s like the difference between someone stealing your wallet versus breaking into your phone. The phone contains exponentially more information about you.

What You Should Do Right Now
If you own or lease a Hyundai, Kia, or Genesis vehicle:

Immediate Actions:

Check your credit reports for unauthorized accounts or inquiries. You can get free reports at AnnualCreditReport.com
Monitor bank and credit card statements weekly for suspicious charges
Enable transaction alerts on your financial accounts
If You Receive a Notification Letter:

Enroll in the free credit monitoring within 90 days using the unique code provided
The service runs for two years and monitors all three credit bureaus
Call the dedicated hotline at 855-720-3727 with questions
For Everyone, Breached or Not:

Consider a credit freeze with Equifax, Experian and TransUnion. This prevents identity thieves from opening new accounts in your name
Enable fraud alerts which require creditors to verify your identity before issuing credit
Watch for phishing scams exploiting breach news. Hyundai will never ask for your Social Security number or payment information via email
The Uncomfortable Truth About Data Breaches
Data breaches have become depressingly routine. In 2024 alone, major incidents hit healthcare providers, retailers, financial institutions, and now automotive companies joining the list with alarming frequency.

But there's something particularly unsettling about automotive breaches. You chose your bank and can switch it. You chose your doctor and can change providers. But if you bought a Hyundai three years ago, you're stuck with their security practices until you sell the vehicle. Your data sits in their systems whether you like it or not.

And unlike a credit card breach where the bank typically covers fraudulent charges, identity theft involving Social Security numbers can create problems that take years to resolve. Victims may discover the theft only when they're denied a loan, receive bills for services they never used, or have their tax returns rejected because someone else already filed using their information.

What Hyundai Is Saying
In its breach notification, Hyundai AutoEver stated: "We regret that this incident occurred and take the security of personal information seriously."

The company says it’s investing in "additional security enhancements designed to mitigate future risk." But given this is the third major breach in three years across Hyundai Motor Group entities, many cybersecurity experts argue the company needs more than enhancements: it needs a fundamental security overhaul.

The automotive industry finds itself caught between competing pressures. Customers want connected features: remote start from their phone, navigation that predicts traffic, software updates that add new capabilities. These features require extensive data collection and cloud connectivity.

But every connection creates a potential vulnerability. Every database becomes a target. And when IT providers centralize services for millions of vehicles, they become high-value targets offering hackers a massive potential payoff from a single breach.

The challenge for automakers isn’t just fixing the specific vulnerabilities that enabled this breach. It’s fundamentally rethinking how they secure the growing mountain of customer data their business models now require.

techdigest.tv
10 November 2025
Chris Price

A catastrophic data breach at Chinese cybersecurity firm Knownsec has exposed a state-backed cyber arsenal and global surveillance targets.

A prominent Chinese cybersecurity firm with ties to the government, Knownsec, has suffered a catastrophic data breach, exposing over 12,000 classified documents detailing the inner workings of China’s state-sponsored cyber espionage program.
The leak of over 12,000 classified documents provides an unprecedented window into the operational infrastructure supporting China’s intelligence-gathering efforts, triggering significant international concern.

The leaked materials initially appeared on GitHub before being removed for terms-of-service violations. They reveal a vast technical arsenal, including sophisticated Remote Access Trojans (RATs) engineered to compromise every major operating system, specifically Linux, Windows, macOS, iOS, and Android.

The documents detail the use of highly specialized surveillance tools. These include Android attack code capable of extracting extensive message histories from popular chat applications, enabling targeted spying on specific individuals.

Even more concerning is the detail on hardware-based attack vectors. The firm allegedly developed a maliciously engineered power bank that can covertly exfiltrate data when connected to a victim’s computer, representing a sophisticated, hands-on supply-chain attack. This highlights the willingness of state-sponsored programs to invest in complex infrastructure to circumvent traditional security controls.

The archives also contain detailed spreadsheets documenting alleged breaches against more than 80 overseas targets. The scale of the data theft is massive, listing 95GB of immigration records from India, 3TB of call records from South Korea’s LG U Plus, and 459GB of road planning data from Taiwan.

The target list explicitly names over twenty countries and regions, including the United Kingdom, Japan, and Nigeria.

Knownsec, founded in 2007 and backed by Tencent, holds a trusted position within China’s security apparatus, providing services to government departments and major financial institutions. This prominence amplifies the significance of the leak.

In response to the disclosure, a Chinese Foreign Ministry spokesperson was evasive, stating unfamiliarity with any Knownsec breach while asserting that China “firmly opposes and combats all forms of cyberattacks.”

Analysts note this measured response avoided denying government support for such operations, underscoring Beijing’s positioning of cyber activities as national security instruments. Cybersecurity specialists worldwide are now studying the exposed data to improve global defense strategies.

Sky News Australia
Max Melzer

An Iranian-backed hacking group has posted plans for Australia's new $7 billion infantry fighting vehicles online following a spate of attacks on Israeli arms companies.

Plans for Australia's new $7 billion Redback infantry fighting vehicles have been stolen and posted online by Iran-backed hackers following a spate of attacks on Israeli arms companies.

Cyber Toufan, a hacking group believed to have ties to the Iranian state, posted classified 3D renderings and technical details of the next generation fighting vehicles on Telegram.

The group claimed to have stolen confidential data from 17 Israeli defence companies in a major cyberattack carried out after it gained access to supply chain firm MAYA Technologies over a year ago.

Israel’s Elbit Systems, which was contracted to provide hi-tech weapons turrets for the Redbacks, was among the companies targetted.

Skynews.com.au has contacted Elbit Systems for comment.

In addition to the exposure of sensitive details about the fighting vehicles' technical specifications, the documents posted by Cyber Toufan also revealed the Australian Defence Force had apparently been weighing whether to purchase Spike NLOS anti-tank missiles from the Israeli company.

It is not fully clear how much data was stolen in the hack or whether the details published online could be used to develop countermeasures to the Redback's defensive and offensive capabilities.

The Australian Army is set to receive 127 of the fighting vehicles under a roughly $7 billion contract with South Korean firm Hanwha Defence.

Elbit Systems' turrets will be affixed to the Redback's under a separate contract worth around $920 million.

The Israeli firm's involvement with the project had drawn criticism due to Israel's war in Gaza, although Defence Industry Minister Pat Conroy has repeatedly defended the company's involvement.

"We make no apology for getting the best possible equipment for the Australian Defence Force," he told the Indo-Pacific Maritime Exposition last week.

Cyber Toufan's attacks underscore the growing threat of hacking groups targetting sensitive military data.

The Australian Signals Directorate warned in its 2025 Cyber Threat Report that government and defence-related information was "an attractive target for state-sponsored cyber actors".

AUKUS remains the principle target for hostile actors, although Australian Security Intelligence Organisation Director-General Mike Burgess revealed even "countries we consider friendly" were attempting to gather intelligence about the nuclear submarine program.

"ASIO has identified foreign services seeking to target AUKUS to position themselves to collect on the capabilities, how Australia intends to use them, and to undermine the confidence of our allies," he warned in his annual threat assessment earlier this year.

Several Australian defence projects have already faced hacks in recent years, including in 2017 when a defence contractor was breached and data on the nation's F-35 program and the Collins-class submarine program was exposed.

Shipbuilder Austal was also successfully targetted by hackers in 2018.

| OAIC oaic.gov.au
Published: 09 October 2025

The Federal Court ordered that Australian Clinical Labs (ACL) pay $5.8 million in civil penalties in relation to a data breach by its Medlab Pathology business in February 2022.

The Federal Court yesterday ordered that Australian Clinical Labs (ACL) pay $5.8 million in civil penalties in relation to a data breach by its Medlab Pathology business in February 2022. The breach resulted in the unauthorised access and exfiltration of the personal information of over 223,000 individuals.

These are the first civil penalties ordered under the Privacy Act 1988 (Cth).

Australian Information Commissioner Elizabeth Tydd welcomed the Court's orders, stating that they “provide an important reminder to all APP entities that they must remain vigilant in securing and responsibly managing the personal information they hold.

“These orders also represent a notable deterrent and signal to organisations to ensure they undertake reasonable and expeditious investigations of potential data breaches and report them to the Office of the Australian Information Commissioner appropriately.

“Entities holding sensitive data need to be responsive to the heightened requirements for securing this information as future action will be subject to higher penalty provisions now available under the Privacy Act".

The Federal Court has made orders imposing the following penalties:

a penalty of $4.2 million for ACL's failure to take reasonable steps to protect the personal information held by ACL on Medlab Pathology’s IT systems under Australian Privacy Principle 11.1, which amounted to more than to 223,000 contraventions of s 13G(a) of the Privacy Act;
a penalty of $800,000 for ACL’s failure to carry out a reasonable and expeditious assessment of whether an eligible data breach had occurred following the cyberattack on the Medlab Pathology IT systems in February 2022, in contravention of s 26WH(2) of the Privacy Act; and
a penalty of $800,000 for ACL’s failures to prepare and give to the Australian Information Commissioner, as soon as practicable, a statement concerning the eligible data breach, in contravention of s 26WK(2) of the Privacy Act.
Justice Halley said in his judgment that the contraventions were “extensive and significant.” His Honour also found that:

‘ACL’s most senior management were involved in the decision making around the integration of Medlab’s IT Systems into ACL’s core environment and ACL’s response to the Medlab Cyberattack, including whether it amounted to an eligible data breach.’
‘ACL’s contraventions … resulted from its failure to act with sufficient care and diligence in managing the risk of a cyberattack on the Medlab IT Systems’
‘ACL’s contravening conduct … had at least the potential to cause significant harm to individuals whose information had been exfiltrated, including financial harm, distress or psychological harms, and material inconvenience.’
‘the contraventions had the potential to have a broader impact on public trust in entities holding private and sensitive information of individuals.’
His Honour identified several factors that reduced the penalty that was imposed. These included that that ‘ACL ... cooperated with the investigation undertaken by the office of the Commissioner', and that it had commenced ‘a program of works to uplift the company’s cybersecurity capabilities’ which ‘satisfied [his Honour] that these actions demonstrate that ACL has sought, and continues to seek, to take meaningful steps to develop a satisfactory culture of compliance.’ His Honour also took into account the apologies made by ACL and the fact that it had admitted liability.

ACL admitted the contraventions, consented to orders being made and the parties made joint submissions on liability and penalty.

The penalties were imposed under the penalty regime which was in force at the time of the contraventions, with a maximum penalty of $2.22 million per contravention. The new penalty regime that came into force on 13 December 2022 allows the Court to impose much higher penalties for serious interferences with privacy. Under the new regime, maximum penalties per contravention can be as much as $50 million, three times the benefit derived from the conduct or up to the 30% of a business’s annual turnover per contravention.

Privacy Commissioner Carly Kind said, “This outcome represents an important turning point in the enforcement of privacy law in Australia. For the first time, a regulated entity has been subject to civil penalties under the Privacy Act, in line with the expectations of the public and the powers given to the OAIC by parliament. This should serve as a vivid reminder to entities, particularly providers operating within Australia’s healthcare system, that there will be consequences of serious failures to protect the privacy of those individuals whose healthcare and information they hold.”

techcrunch.com
Jagmeet Singh
6:30 PM PDT · October 28, 2025

A security researcher found the Indian automotive giant exposing personal information of its customers, internal company reports, and dealers’ data. Tata confirmed it fixed the issues.

Indian automotive giant Tata Motors has fixed a series of security flaws that exposed sensitive internal data, including personal information of customers, company reports, and data related to its dealers.

Security researcher Eaton Zveare told TechCrunch that he discovered the flaws in Tata Motors’ E-Dukaan unit, an e-commerce portal for buying spare parts for Tata-made commercial vehicles. Headquartered in Mumbai, Tata Motors produces passenger cars, as well as commercial and defense vehicles. The company has a presence in 125 countries worldwide and seven assembly facilities, per its website.

Zveare said he found that the portal’s web source code included the private keys to access and modify data within Tata Motors’ account on Amazon Web Services, the researcher said in a blog post.

The exposed data, Zveare told TechCrunch, included hundreds of thousands of invoices containing customer information, such as their names, mailing addresses, and permanent account number (PAN), a 10-character unique identifier issued by the Indian government.

“Out of respect for not causing some type of alarm bell or massive egress bill at Tata Motors, there were no attempts to exfiltrate large amounts of data or download excessively large files,” the researcher told TechCrunch.

There were also MySQL database backups and Apache Parquet files that included various bits of private customer information and communication, the researcher noted.

The AWS keys also enabled access to over 70 terabytes of data related to Tata Motors’ FleetEdge fleet-tracking software. Zveare also found backdoor admin access to a Tableau account, which included data of over 8,000 users.
“As server admin, you had access to all of it. This primarily includes things like internal financial reports, performance reports, dealer scorecards, and various dashboards,” the researcher said.

The exposed data also included API access to Tata Motors’ fleet management platform, Azuga, which powers the company’s test drive website.

Shortly after discovering the issues, Zveare reported them to Tata Motors through the Indian computer emergency response team, known as CERT-In, in August 2023. Later in October 2023, Tata Motors told Zveare that it was working on fixing the AWS issues after securing the initial loopholes. However, the company did not say when the issues were fixed.

Tata Motors confirmed to TechCrunch that all the reported flaws were fixed in 2023 but would not say if it notified affected customers that their information was exposed.

“We can confirm that the reported flaws and vulnerabilities were thoroughly reviewed following their identification in 2023 and were promptly and fully addressed,” said Tata Motors communications head Sudeep Bhalla, when contacted by TechCrunch.

“Our infrastructure is regularly audited by leading cybersecurity firms, and we maintain comprehensive access logs to monitor for unauthorized activity. We also actively collaborate with industry experts and security researchers to strengthen our security posture and ensure timely mitigation of potential risks,” said Bhalla.

securityweek.com
ByIonut Arghire| October 30, 2025 (9:01 AM ET)
Updated: October 31, 2025 (2:36 AM ET)

The hackers stole names, addresses, dates of birth, Social Security numbers, and health and insurance information.

Business services provider Conduent is notifying more than 10 million people that their personal information was stolen in a January 2025 data breach.

The incident was disclosed publicly in late January, when Conduent confirmed system disruptions that affected government agencies in multiple US states.

In April, the company notified the Securities and Exchange Commission (SEC) that the attackers had stolen personal information from its systems.

Last week, Conduent started notifying users that their personal information was stolen in the incident, and submitted notices to Attorney General’s Offices in multiple states.

The hackers accessed Conduent’s network on October 21, 2024 and were evicted on January 13, 2025, after the attack was identified, the company says in the notification letter to the affected individuals.

During the time frame, the attackers exfiltrated various files from the network, including files containing personal information such as names, addresses, dates of birth, Social Security numbers, health insurance details, and medical information.

Conduent is not providing the affected people with free identity theft protection services, but encourages them to obtain free credit reports, place fraud alerts on their credit files, and place security freezes on their credit reports.

“Upon discovery of the incident, we safely restored our systems and operations and notified law enforcement. We are also notifying you in case you decide to take further steps to protect your information should you feel it appropriate to do so,” the notification letter reads.

Based on the data breach notice submitted with the authorities in Oregon, it appears that 10,515,849 individuals were impacted, with the largest number in Texas (4 million).

Conduent serves over 600 government and transportation organizations, and roughly half of Fortune 100 companies, across financial, pharmaceutical, and automobile sectors. The company supports roughly 100 million US residents across 46 states.

While the company has not shared details on the threat actor behind the attack, the Safepay ransomware group claimed the incident in February.

SecurityWeek has emailed Conduent for additional information and will update this article if the company responds.

*Updated with the number of impacted individuals from the Oregon Department of Justice.

reuters.com By A.J. Vicens
October 29, 202511:10 PM GMT+1Updated October 29, 2025

Hackers accessed Ribbon's network in December 2024
Three customers impacted, according to ongoing investigation
Ribbon's breach part of broader trend targeting telecom firms
Oct 29 (Reuters) - Hackers working for an unnamed nation-state breached networks at Ribbon Communications (RBBN.O), opens new tab, a key U.S. telecommunications services company, and remained within the firm’s systems for nearly a year without being detected, a company spokesperson confirmed in a statement on Wednesday.
Ribbon Communications, a Texas-based company that provides technology to facilitate voice and data communications between separate tech platforms and environments, said in its October 23 10-Q filing, opens new tab with the Securities and Exchange Commission that the company learned early last month that people “reportedly associated with a nation-state actor” gained access to the company’s IT network, with initial access dating to early December 2024.

The hack has not been previously reported. It is perhaps the latest example of technology companies that play a critical role in the global telecommunications ecosystem being targeted as part of nation-state hacking campaigns.
Ribbon did not identify the nation-state actor, or disclose which of its customers were affected by the breach, but told Reuters in the statement that its investigation has so far revealed three “smaller customers” impacted.
“While we do not have evidence at this time that would indicate the threat actor gained access to any material information, we continue to work with our third-party experts to confirm this,” a Ribbon spokesperson said in an email. “We have also taken steps to further harden our network to prevent any future incidents.”

| The Record from Recorded Future News
Daryna Antoniuk
October 27th, 2025

The utility responsible for operating Sweden's power grid is investigating a data breach after a ransomware group threatened to leak hundreds of gigabytes of purportedly stolen internal data.

Sweden’s power grid operator is investigating a data breach after a ransomware group threatened to leak hundreds of gigabytes of purportedly stolen internal data.

State-owned Svenska kraftnät, which operates the country’s electricity transmission system, said the incident affected a “limited external file transfer solution” and did not disrupt Sweden’s power supply.

“We take this breach very seriously and have taken immediate action,” said Chief Information Security Officer Cem Göcgören in a statement. “We understand that this may cause concern, but the electricity supply has not been affected.”

The ransomware gang Everest claimed responsibility for the attack on its leak site over the weekend, alleging it had exfiltrated about 280 gigabytes of data and saying it would publish it unless the agency complied with its demands.

The same group has previously claimed attacks on Dublin Airport, Air Arabia, and U.S. aerospace supplier Collins Aerospace — incidents that disrupted flight operations across several European cities in September. The group’s claims could not be independently verified.

Svenska kraftnät said it is working closely with the police and national cybersecurity authorities to determine the extent of the breach and what data may have been exposed. The utility has not attributed the attack to any specific threat actor.

“Our current assessment is that mission-critical systems have not been affected,” Göcgören said. “At this time, we are not commenting on perpetrators or motives until we have confirmed information.”

Korea JoongAng daily
Friday
October 17, 2025

The Korean government officially acknowledged Friday that hackers had accessed the Onnara system — a government work management platform — and administrative digital signature certificates called the government public key infrastructure (GPKI), which are essential for civil servant authentication.

Authorities said they are investigating how the breach occurred and assessing the extent of the damage, while also implementing new security measures.

During a press briefing at the government complex in Sejong, the Ministry of the Interior and Safety confirmed that “in mid-July, the National Intelligence Service (NIS) discovered signs that an external party accessed the Onnara system via the Government Virtual Private Network (G-VPN).”

Two months to acknowledge hacking

The statement came two months after a report by Phrack Magazine, a U.S.-based cybersecurity publication, claimed that the Ministry of the Interior and Safety, Ministry of Foreign Affairs, Ministry of Unification, Ministry of Oceans and Fisheries, telecom companies KT and LG U+ and private tech firms including Daum, Kakao and Naver, had all been targeted by hackers.

Until now, the Korean government had remained silent, but on Friday, it acknowledged the report’s claims were accurate.

The NIS is currently working with relevant agencies to determine how the breach occurred and to evaluate the scope of any data leaks. While the Ministry of the Interior and Safety said there has been no confirmed leak of government documents so far, it did not rule out the possibility of such leaks being uncovered during the investigation.
In response to the breach, the government has taken steps to strengthen its cybersecurity protocols.

“Since Aug. 4, remote access to the G-VPN has required not only digital signature authentication but also phone-based verification,” said Lee Yong-seok, head of the digital government innovation office at the Interior Ministry. “Additionally, we completed measures to prevent the reuse of login credentials for the Onnara system, which were applied to all central and local government agencies on July 28.”

Regarding GPKI, the government reviewed the validity of all certificates with information provided by the NIS. Most of the compromised certificates had already expired, and those that were still valid were revoked as of Aug. 13, according to the ministry.

NIS still investigating breach origin

The government also shared the preliminary results of its investigation into the cause of the breach, attributing it to user negligence that led to certificate information being leaked externally.

“All central and local government agencies have been instructed to stop sharing certificates and to strengthen management protocols,” the Interior Ministry said.

Although the North Korean hacking group Kimsuky was initially suspected to be behind the attack, the NIS said there was insufficient evidence to definitively identify the perpetrator. Kimsuky is known for targeting diplomatic, security and defense sectors to gather intelligence for the North Korean regime.

To counter security threats related to certificate theft or duplication, the government announced plans to replace GPKI-based authentication with biometric multi-factor methods, such as mobile government IDs for public officials.

The government also intends to expand the use of secure authentication technologies — including biometric-based digital IDs — across public services for the general population.

“If the NIS identifies any additional issues, we will immediately address and respond to them,” Lee said. “We will do everything we can to prevent a similar incident from happening again.”

Discord says that approximately 70,000 users may have had their government ID photos exposed as part of a data breach of a third-party service.

Discord has identified approximately 70,000 users that may have had their government ID photos exposed as part of a customer service data breach announced last week, spokesperson Nu Wexler tells The Verge. A tweet by vx-underground said that the company was being extorted over a breach of its Zendesk instance by a group claiming to have “1.5TB of age verification related photos. 2,185,151 photos.”

When we asked about the tweet, Wexler shared this statement:

Following last week’s announcement about a security incident involving a third-party customer service provider, we want to address inaccurate claims by those responsible that are circulating online. First, as stated in our blog post, this was not a breach of Discord, but rather a third-party service we use to support our customer service efforts. Second, the numbers being shared are incorrect and part of an attempt to extort a payment from Discord. Of the accounts impacted globally, we have identified approximately 70,000 users that may have had government-ID photos exposed, which our vendor used to review age-related appeals. Third, we will not reward those responsible for their illegal actions.

All affected users globally have been contacted and we continue to work closely with law enforcement, data protection authorities, and external security experts. We’ve secured the affected systems and ended work with the compromised vendor. We take our responsibility to protect your personal data seriously and understand the concern this may cause.

In its announcement last week, Discord said that information like names, usernames, emails, the last four digits of credit cards, and IP addresses also may have been impacted by the breach.

status.salesforce.com ID# 20000224
Publié 5:58 pm CEST, Oct 02 2025 · Last updated 5:58 pm CEST, Oct 02 2025

Security Advisory: Ongoing Response to Social Engineering Threats
We are aware of recent extortion attempts by threat actors, which we have investigated in partnership with external experts and authorities. Our findings indicate these attempts relate to past or unsubstantiated incidents, and we remain engaged with affected customers to provide support. At this time, there is no indication that the Salesforce platform has been compromised, nor is this activity related to any known vulnerability in our technology.
We understand how concerning these situations can be. Protecting customer environments and data remains our top priority, and our security teams are fully engaged to provide guidance and support. As we continue to monitor the situation, we encourage customers to remain vigilant against phishing and social engineering attempts, which remain common tactics for threat actors.

For detailed guidance, please review our blog post on protecting against social engineering (https://www.salesforce.com/blog/protect-against-social-engineering) and reach out through the Salesforce Help portal if you need support.
Publié 5:58 pm CEST, Oct 02 2025 · Last updated 5:58 pm CEST, Oct 02 2025

theins.ru
The Insider
2 October 2025 23:03

The hacker collective Black Mirror has released the first portion of an archive of documents from the Russian state defense corporation Rostec. The tranche contains more than 300 items. The materials detail Russia’s military and technical cooperation with foreign clients, pricing for military items, and logistics schemes aimed at evading sanctions. The published documents also include internal correspondence, presentations on overseas helicopter service centers, and agreements with international partners.

The files show that Russian companies have faced difficulties receiving payments for contracts with Algeria, Egypt, China, and India. Russian banks have been unable to issue guarantees or conduct transactions through the SWIFT system, forcing them to search for alternative settlement schemes in yuan, rubles, and euros.

The archive also contains information about an international network of service centers for Russian helicopter equipment. The documents describe existing and planned maintenance facilities in the UAE, Afghanistan, Vietnam, Bulgaria, Kazakhstan, and other countries. Particular attention is paid to the creation of an international regional logistics hub in Dubai, near Al Maktoum Airport, designed as a central node for supplying spare parts and components.

Among the materials is a letter from the Rostec holding company Concern Radio-Electronic Technologies (CRET) on pricing for military products in export contracts. The document proposes a simplified formula for setting wholesale prices, profit margins, transport expenses, and currency risks. It also discusses possible legal changes to allow more flexible use of revenues from military-technical cooperation.

The hackers said this is only the first portion of the Rostec archive, which they are releasing in what they called “fuck off exposure” mode. Black Mirror claims the documents include a list of “reliable trading partners” in several countries. These are said to have been approved by Russia’s Defense Ministry, the FSB, and the Foreign Intelligence Service (SVR) with the aim of reducing the risk of aviation and technical equipment being redirected to Ukraine through third countries.

In August, Telegram blocked Black Mirror’s channel. Attempts to access it displayed a notice that cited doxxing, defamation, and extortion as the reasons behind the ban. The Insider is not aware of the channel extorting money from anyone.

• Daily Dark Web - dailydarkweb.net
  October 3, 2025

The newly formed cybercrime alliance, “Scattered LAPSUS$ Hunters,” has launched a new website detailing its claims of a massive data breach affecting Salesforce and its extensive customer base. This development is the latest move by the group, a notorious collaboration between members of the established threat actor crews ShinyHunters, Scattered Spider, and LAPSUS$. On their new site, the group is extorting Salesforce directly, threatening to leak nearly one billion records with a ransom deadline of October 10, 2025.

This situation stems from a widespread and coordinated campaign that targeted Salesforce customers throughout mid-2025. According to security researchers, the attacks did not exploit a vulnerability in Salesforce’s core platform. Instead, the threat actors, particularly those from the Scattered Spider group, employed sophisticated social engineering tactics.

The primary method involved voice phishing (vishing), where attackers impersonated corporate IT or help desk staff in phone calls to employees of target companies. These employees were then manipulated into authorizing malicious third-party applications within their company’s Salesforce environment. This action granted the attackers persistent access tokens (OAuth), allowing them to bypass multi-factor authentication and exfiltrate vast amounts of data. The alliance has now consolidated the data from these numerous breaches for this large-scale extortion attempt against Salesforce itself.

The website lists dozens of high-profile Salesforce customers allegedly compromised in the campaign. The list of alleged victims posted by the group includes:

Toyota Motor Corporations (🇯🇵): A multinational automotive manufacturer.
FedEx (🇺🇸): A global courier delivery services company.
Disney/Hulu (🇺🇸): A multinational mass media and entertainment conglomerate.
Republic Services (🇺🇸): An American waste disposal company.
UPS (🇺🇸): A multinational shipping, receiving, and supply chain management company.
Aeroméxico (🇲🇽): The flag carrier airline of Mexico.
Home Depot (🇺🇸): The largest home improvement retailer in the United States.
Marriott (🇺🇸): A multinational company that operates, franchises, and licenses lodging.
Vietnam Airlines (🇻🇳): The flag carrier of Vietnam.
Walgreens (🇺🇸): An American company that operates the second-largest pharmacy store chain in the United States.
Stellantis (🇳🇱): A multinational automotive manufacturing corporation.
McDonald’s (🇺🇸): A multinational fast food chain.
KFC (🇺🇸): A fast food restaurant chain that specializes in fried chicken.
ASICS (🇯🇵): A Japanese multinational corporation which produces sportswear.
GAP, INC. (🇺🇸): A worldwide clothing and accessories retailer.
HMH (hmhco.com) (🇺🇸): A publisher of textbooks, instructional technology materials, and assessments.
Fujifilm (🇯🇵): A multinational photography and imaging company.
Instructure.com – Canvas (🇺🇸): An educational technology company.
Albertsons (Jewel Osco, etc) (🇺🇸): An American grocery company.
Engie Resources (Plymouth) (🇺🇸): A retail electricity provider.
Kering (🇫🇷): A global luxury group that manages brands like Gucci, Balenciaga, and Brioni.
HBO Max (🇺🇸): A subscription video on-demand service.
Instacart (🇺🇸): A grocery delivery and pick-up service.
Petco (🇺🇸): An American pet retailer.
Puma (🇩🇪): A German multinational corporation that designs and manufactures athletic footwear and apparel.
Cartier (🇫🇷): A French luxury goods conglomerate.
Adidas (🇩🇪): A multinational corporation that designs and manufactures shoes, clothing, and accessories.
TripleA (aaa.com) (🇺🇸): A federation of motor clubs throughout North America.
Qantas Airways (🇦🇺): The flag carrier of Australia.
CarMax (🇺🇸): A used vehicle retailer.
Saks Fifth (🇺🇸): An American luxury department store chain.
1-800Accountant (🇺🇸): A nationwide accounting firm.
Air France & KLM (🇫🇷/🇳🇱): A major European airline partnership.
Google Adsense (🇺🇸): A program run by Google through which website publishers serve advertisements.
Cisco (🇺🇸): A multinational digital communications technology conglomerate.
Pandora.net (🇩🇰): A Danish jewelry manufacturer and retailer.
TransUnion (🇺🇸): An American consumer credit reporting agency.
Chanel (🇫🇷): A French luxury fashion house.
IKEA (🇸🇪): A Swedish-founded multinational group that designs and sells ready-to-assemble furniture.
According to the actor, the breach involves nearly 1 billion records from Salesforce and its clients. The allegedly compromised data includes:

Sensitive Personally Identifiable Information (PII)
Strategic business records that could impact market position
Data from over 100 other demand instances hosted on Salesforce infrastructure

discord.com

Discord
October 3, 2025

At Discord, protecting the privacy and security of our users is a top priority. That’s why it’s important to us that we’re transparent with them about events that impact their personal information.

Discord recently discovered an incident where an unauthorized party compromised one of Discord’s third-party customer service providers.
This incident impacted a limited number of users who had communicated with our Customer Support or Trust & Safety teams.
This unauthorized party did not gain access to Discord directly.
No messages or activities were accessed beyond what users may have discussed with Customer Support or Trust & Safety agents.
We immediately revoked the customer support provider’s access to our ticketing system and continue to investigate this matter.
We’re working closely with law enforcement to investigate this matter.
We are in the process of emailing the users impacted.
‍

At Discord, protecting the privacy and security of our users is a top priority. That’s why it’s important to us that we’re transparent with them about events that impact their personal information.

Recently, we discovered an incident where an unauthorized party compromised one of Discord’s third-party customer service providers. The unauthorized party then gained access to information from a limited number of users who had contacted Discord through our Customer Support and/or Trust & Safety teams.

As soon as we became aware of this attack, we took immediate steps to address the situation. This included revoking the customer support provider’s access to our ticketing system, launching an internal investigation, engaging a leading computer forensics firm to support our investigation and remediation efforts, and engaging law enforcement.

We are in the process of contacting impacted users. If you were impacted, you will receive an email from noreply@discord.com. We will not contact you about this incident via phone – official Discord communications channels are limited to emails from noreply@discord.com.

What happened?
An unauthorized party targeted our third-party customer support services to access user data, with a view to extort a financial ransom from Discord.

What data was involved?
The data that may have been impacted was related to our customer service system. This may include:

Name, Discord username, email and other contact details if provided to Discord customer support
Limited billing information such as payment type, the last four digits of your credit card, and purchase history if associated with your account
IP addresses
Messages with our customer service agents
Limited corporate data (training materials, internal presentations)
The unauthorized party also gained access to a small number of government‑ID images (e.g., driver’s license, passport) from users who had appealed an age determination. If your ID may have been accessed, that will be specified in the email you receive.

What data was not involved?
Full credit card numbers or CCV codes
Messages or activity on Discord beyond what users may have discussed with customer support
Passwords or authentication data
What are we doing about this?
Discord has and will continue to take all appropriate steps in response to this situation. As standard, we will continue to frequently audit our third-party systems to ensure they meet our security and privacy standards. In addition, we have:

Notified relevant data protection authorities.
Proactively engaged with law enforcement to investigate this attack.
Reviewed our threat detection systems and security controls for third-party support providers.
Taking next steps
Looking ahead, we recommend impacted users stay alert when receiving messages or other communication that may seem suspicious. We have service agents on hand to answer questions and provide additional support.

We take our responsibility to protect your personal data seriously and understand the inconvenience and concern this may cause.

bleepingcomputer.com By Sergiu Gatlan
October 3, 2025

An extortion group has launched a new data leak site to publicly extort dozens of companies impacted by a wave of Salesforce breaches, leaking samples of data stolen in the attacks.

The threat actors responsible for these attacks claim to be part of the ShinyHunters, Scattered Spider, and Lapsus$ groups, collectively referring to themselves as "Scattered Lapsus$ Hunters."

Today, they launched a new data leak site containing 39 companies impacted by the attacks. Each entry includes samples of data allegedly stolen from victims' Salesforce instances, and warns the victims to reach out to "prevent public disclosure" of their data before the October 10 deadline is reached.

The companies being extorted on the data leak site include well-known brands and organizations, including FedEx, Disney/Hulu, Home Depot, Marriott, Google, Cisco, Toyota, Gap, McDonald's, Walgreens, Instacart, Cartier, Adidas, Sake Fifth Avenue, Air France & KLM, Transunion, HBO MAX, UPS, Chanel, and IKEA.

"All of them have been contacted long ago, they saw the email because I saw them download the samples multiple times. Most of them chose to not disclose and ignore," ShinyHunters told BleepingComputer.

"We highly advise you proceed into the right decision, your organisation can prevent the release of this data, regain control over the situation and all operations remain stable as always. We highly recommend a decision-maker to get involved as we are presenting a clear and mutually beneficial opportunity to resolve this matter," they warned on the leak site.

The threat actors also added a separate entry requesting that Salesforce pay a ransom to prevent all impacted customers' data (approximately 1 billion records containing personal information) from being leaked.

"Should you comply, we will withdraw from any active or pending negotiation indiviually from your customers. Your customers will not be attacked again nor will they face a ransom from us again, should you pay," they added.

The extortion group also threatened the company, stating that it would help law firms pursue civil and commercial lawsuits against Salesforce following the data breaches and warned that the company had also failed to protect customers' data as required by the European General Data Protection Regulation (GDPR).

We are writing to provide an update regarding a security incident related to a specific GitLab environment used by our Red Hat Consulting team. Red Hat takes the security and integrity of our systems and the data entrusted to us extremely seriously, and we are addressing this issue with the highest priority.

What happened
We recently detected unauthorized access to a GitLab instance used for internal Red Hat Consulting collaboration in select engagements. Upon detection, we promptly launched a thorough investigation, removed the unauthorized party’s access, isolated the instance, and contacted the appropriate authorities. Our investigation, which is ongoing, found that an unauthorized third party had accessed and copied some data from this instance.

We have now implemented additional hardening measures designed to help prevent further access and contain the issue.

Scope and impact on customers
We understand you may have questions about whether this incident affects you. Based on our investigation to date, we can share:

Impact on Red Hat products and supply chain: At this time, we have no reason to believe this security issue impacts any of our other Red Hat services or products, including our software supply chain or downloading Red Hat software from official channels.
Consulting customers: If you are a Red Hat Consulting customer, our analysis is ongoing. The compromised GitLab instance housed consulting engagement data, which may include, for example, Red Hat’s project specifications, example code snippets, and internal communications about consulting services. This GitLab instance typically does not house sensitive personal data. While our analysis remains ongoing, we have not identified sensitive personal data within the impacted data at this time. We will notify you directly if we believe you have been impacted.
Other customers: If you are not a Red Hat Consulting customer, there is currently no evidence that you have been affected by this incident.
For clarity, this incident is unrelated to a Red Hat OpenShift AI vulnerability (CVE-2025-10725) that was announced yesterday.

Our next steps
We are engaging directly with any customers who may be impacted.

Thank you for your continued trust in Red Hat. We appreciate your patience as we continue our investigation.

bleepingcomputer.com By Lawrence Abrams
October 2, 2025 02:15 AM 0

An extortion group calling itself the Crimson Collective claims to have breached Red Hat's private GitHub repositories, stealing nearly 570GB of compressed data across 28,000 internal projects.

An extortion group calling itself the Crimson Collective claims to have breached Red Hat's private GitHub repositories, stealing nearly 570GB of compressed data across 28,000 internal projects.

This data allegedly includes approximately 800 Customer Engagement Reports (CERs), which can contain sensitive information about a customer's network and platforms.

A CER is a consulting document prepared for clients that often contains infrastructure details, configuration data, authentication tokens, and other information that could be abused to breach customer networks.

Red Hat confirmed that it suffered a security incident related to its consulting business, but would not verify any of the attacker's claims regarding the stolen GitHub repositories and customer CERs.

"Red Hat is aware of reports regarding a security incident related to our consulting business and we have initiated necessary remediation steps," Red Hat told BleepingComputer.

"The security and integrity of our systems and the data entrusted to us are our highest priority. At this time, we have no reason to believe the security issue impacts any of our other Red Hat services or products and are highly confident in the integrity of our software supply chain."

While Red Hat did not respond to any further questions about the breach, the hackers told BleepingComputer that the intrusion occurred approximately two weeks ago.

They allegedly found authentication tokens, full database URIs, and other private information in Red Hat code and CERs, which they claimed to use to gain access to downstream customer infrastructure.

The hacking group also published a complete directory listing of the allegedly stolen GitHub repositories and a list of CERs from 2020 through 2025 on Telegram.

The directory listing of CERs include a wide range of sectors and well known organizations such as Bank of America, T-Mobile, AT&T, Fidelity, Kaiser, Mayo Clinic, Walmart, Costco, the U.S. Navy’s Naval Surface Warfare Center, Federal Aviation Administration, the House of Representatives, and many others.

The hackers stated that they attempted to contact Red Hat with an extortion demand but received no response other than a templated reply instructing them to submit a vulnerability report to their security team.

According to them, the created ticket was repeatedly assigned to additional people, including Red Hat's legal and security staff members.

BleepingComputer sent Red Hat additional questions, and we will update this story if we receive more information.

The same group also claimed responsibility for briefly defacing Nintendo’s topic page last week to include contact information and links to their Telegram channel

Communiqué : cyberattaque et vol de données
Publié le : 19/09/2025
Modifié le : 19/09/2025
La Fédération Française de Tennis de Table informe avoir été victime d’une cyberattaque et d’un vol de données : vigilance conseillée à tous nos licenciés.

La FFTT a récemment subi une attaque informatique compromettant la sécurité des données personnelles de ses licenciés.

Un accès non-autorisé par l’usage d’un compte compromis a permis une récupération en masse d’informations dans notre base de données des licenciés. Les données concernées incluent notamment le numéro de licence, nom, prénom, genre, date et lieu de naissance, nationalité ainsi que des moyens de contact tels que adresse postale, adresse email et numéro de téléphone. En revanche, aucune donnée concernant des coordonnées bancaires ou des données de santé n’a été atteinte.

La FFTT regrette profondément cette situation et tient à assurer que l’ensemble de ses services sont mobilisés pour gérer cette intrusion. Le service informatique fédéral travaille, en collaboration avec ses prestataires techniques, à la correction de cette faille de sécurité.

Cet incident appelle à une vigilance accrue des licenciés face aux risques potentiels qui en découlent (risques d’hameçonnage (phishing), de tentatives d’escroqueries ou encore d’usurpation d’identité).

La FFTT invite donc ses membres à la plus grande prudence face aux prochaines communications qu’ils pourraient recevoir, notamment tout message suspect ou inhabituel émanant en apparence de la FFTT ou d’un autre expéditeur (invitation à ouvrir une pièce jointe suspecte ou à communiquer vos comptes, mots de passe ou données bancaires).

Toutes les informations sur les bonnes pratiques en matière de cybermalveillance.

La FFTT va adresser une communication aux personnes concernées.

Une plainte a été déposée et les autorités compétentes ont été informées (ANSSI, CNIL).

Pour toutes informations supplémentaires concernant cet événement, les services de la fédération sont joignables par courriel à l’adresse suivante : cyber@fftt.org

databreaches.net Posted on September 15, 2025 by Dissent

On September 11, DataBreaches broke the story that customers of several high-end fashion brands owned by Paris-headquartered Kering had their personal information acquired by ShinyHunters as part of two Salesforce attacks. As we reported, a spokesperson for ShinyHunters claimed to have acquired more than 43 million customer records from Gucci and almost 13 million records from Balenciaga, Brioni, and Alexander McQueen combined.

Kering never responded to emailed inquiries, but ShinyHunters provided DataBreaches with samples from both attacks that appeared legitimate. They also provided chat logs from negotiations they claimed took place with someone presenting themselves as Balenciaga’s safety manager. Those negotiations appeared to go on for more than a month and a half between June 20 and mid-August. According to the logs, it appeared Kering agreed to pay a ransom of 500,000 euros, but then they went silent and never followed through.

Kering Issues a Statement
Although they did not respond to DataBreaches’ questions at the time, Kering issued a statement that they provided to other news sites, including LeMagIT and The Guardian.

Their statement, as reported by LeMagIT, does not answer all of the questions DataBreaches had, but it’s a start. Kering states:

« En juin 2025, nous avons constaté qu’un tiers non autorisé avait temporairement accédé à nos systèmes et consulté des données clients limitées provenant de certaines de nos Maisons », explique le service de presse de Kering dans une déclaration adressée à la rédaction.

Celle-ci ajoute que « nos Maisons ont immédiatement signalé cette intrusion aux autorités compétentes et ont informé les clients conformément aux réglementations locales ».

Et de préciser qu’aucune « information financière, telle que des numéros de compte bancaire ou de carte de crédit, ni aucun numéro d’identification personnelle (numéro de sécurité sociale), n’ont été compromise lors de cet incident ».

Selon le service de presse de Kering « l’intrusion a été rapidement identifiée et des mesures appropriées ont été prises pour sécuriser les systèmes concernés et éviter que de tels incidents ne se reproduisent à l’avenir ».

A machine translation roughly yields:

In June 2025, we found that an unauthorized third party had temporarily accessed our systems and accessed limited customer data from some of our Houses. Our Houses immediately reported this intrusion to the competent authorities and informed the customers in accordance with local regulations….. No financial information, such as bank account or credit card numbers, nor any personal identification number (social security number), was compromised during this incident.

According to Kering’s statement, “the intrusion was quickly identified and appropriate measures were taken to secure the affected systems and prevent such incidents from recurring in the future.”

They do not name the brands affected, they do not disclose the total number of affected individuals, and when asked what countries were affected, Kering reportedly declined to answer Reuter’s question.

An Inconsistent Statement?
It appears that neither Kering nor any of the affected brands detected the breaches on their own, and they only first found out when ShinyHunters contacted them in June. Why they did not discover the breaches by their own means is unknown to DataBreaches.

DataBreaches can confirm that there was no financial information in the samples of records that DataBreaches inspected. However, Kering’s statement to another news outlet contradicts claims made by ShinyHunters to DataBreaches.net in important respects.

As previously reported, ShinyHunters provided this site with chat logs of negotiations between ShinyHunters and someone claiming to be a representative of Balenciaga. But Kering has apparently told the BBC that it did not engage in conversations with the criminal(s), and it didn’t pay any ransom, consistent with long-standing law enforcement advice.

Their denial appears to be factually inaccurate, at least in part.

At the time of our first publication, DataBreaches reported that Balenciaga had made a small test payment in BTC to ShinyHunters. This site did not include specific proof in that article, but ShinyHunters had provided this site with evidence at the time. We are posting that proof now in light of Kering’s denial that they engaged in any conversations or paid any ransom.

The chat log provided to this site showed that Balenciaga was to make a small test payment in BTC to ShinyHunters on or about July 4. The amount mentioned in the chat log was 0,00045 BTC. The chat log also showed the BTC address as bc1qzwpshyadethrqum0yyjh7uxxzhsnjjgapdmr4c. DataBreaches had redacted that address from the published report.

On July 4, Balenciaga’s “user” told ShinyHunters that the test payment had been made:

[en attente] : 2025-07-04
[03:09:08] shinycorp: Bonjour, vous nous aviez promis un paiement hier, mais nous n’avons rien reçu. des nouvelles ?
[04:23:45] Utilisateur: Bonjour
[04:24:05] Utilisateur: nous avons eu du retard pour la création du compte
[04:24:09] Utilisateur: https://blockstream.info/tx/a4d9c24a90fdbcf652f18bafae89740094ad7a555e4e747e7e2602771e9a1d6b
[04:24:18] Utilisateur: ci joint la preuve du paiement test
[04:24:24] Utilisateur: je vous invite à vérifier
[04:52:42] shinycorp: Reçu pour la première fois
[06:17:52] shinycorp: Veuillez diffuser la transaction.
[07: 45: 06] Utilisateur: fichier: / / / C: / Utilisateurs / X / Bureau / flux de blocs.htm
[07:46:28] Utilisateur: https://blockstream.info/tx/a4d9c24a90fdbcf652f18bafae89740094ad7a555e4e747e7e2602771e9a1d6b

DataBreaches had looked up the wallet address and found confirmation of the payment. The following is a screengrab showing the payment.

Btcpaid

Kering’s reported claims about no conversations and no payment appear to be refuted by the chat log and corresponding BTC transaction. ShinyHunters did not claim that Kering paid their ransom demand, but they do claim that there were extensive negotiations and that a small test payment was made, and there seems to be proof of that.

Kering’s statement to other news sites also leaves a lot of other unanswered questions. They told the BBC that they had emailed all affected customers, but that raises other questions. DataBreaches emailed Kering again today to ask for additional details. Specifically, DataBreaches asked them:

Have you notified data protection regulators in all of the countries where your customers reside?
When did you send emails to customers to notify them?
Have you notified store customers by postal mail if the customers did not provide email addresses? If not, how have you notified those without email addresses?
Your statement claims that you did not have any conversations with the attackers. Has your legal department obtained IP addresses from qtox to find out the IP address of the person representing themself as Balenciaga’s negotiator? Are you claiming that ShinyHunters was lying about negotiations, or are you saying something else?
No reply has been received.

Furthermore, we still do not know how many unique customers, total, were affected by these attacks on their brands. The BBC reported that it might be less than 7.4 million based on the number of unique email addresses. But the 7.4 million unique email addresses were only for the Balenciaga, Brioni, and Alexander McQueen data. There were more than 43 million records for the Gucci data set, so there would be a significant number of unique email addresses and customers there, too, and not all customers provide an email address.

Although Kering does not seem to be embracing public transparency in its incident response, we may eventually find out more if investors demand accountability or if data protection regulators report on any investigations and findings.