arstechnica.com - Ars Technica
Dan Goodin – 29 janv. 2026 19:30
Settlement comes more than 6 years after Gary DeMercurio and Justin Wynn's ordeal began.
Two security professionals who were arrested in 2019 after performing an authorized security assessment of a county courthouse in Iowa will receive $600,000 to settle a lawsuit they brought alleging wrongful arrest and defamation.
The case was brought by Gary DeMercurio and Justin Wynn, two penetration testers who at the time were employed by Colorado-based security firm Coalfire Labs. The men had written authorization from the Iowa Judicial Branch to conduct “red-team” exercises, meaning attempted security breaches that mimic techniques used by criminal hackers or burglars.
The objective of such exercises is to test the resilience of existing defenses using the types of real-world attacks the defenses are designed to repel. The rules of engagement for this exercise explicitly permitted “physical attacks,” including “lockpicking,” against judicial branch buildings so long as they didn’t cause significant damage.
A chilling message
The event galvanized security and law enforcement professionals. Despite the legitimacy of the work and the legal contract that authorized it, DeMercurio and Wynn were arrested on charges of felony third-degree burglary and spent 20 hours in jail, until they were released on $100,000 bail ($50,000 for each). The charges were later reduced to misdemeanor trespassing charges, but even then, Chad Leonard, sheriff of Dallas County, where the courthouse was located, continued to allege publicly that the men had acted illegally and should be prosecuted.
Reputational hits from these sorts of events can be fatal to a security professional’s career. And of course, the prospect of being jailed for performing authorized security assessment is enough to get the attention of any penetration tester, not to mention the customers that hire them.
“This incident didn’t make anyone safer,” Wynn said in a statement. “It sent a chilling message to security professionals nationwide that helping [a] government identify real vulnerabilities can lead to arrest, prosecution, and public disgrace. That undermines public safety, not enhances it.”
DeMercurio and Wynn’s engagement at the Dallas County Courthouse on September 11, 2019, had been routine. A little after midnight, after finding a side door to the courthouse unlocked, the men closed it and let it lock. They then slipped a makeshift tool through a crack in the door and tripped the locking mechanism. After gaining entry, the pentesters tripped an alarm alerting authorities.
Within minutes, deputies arrived and confronted the two intruders. DeMercurio and Wynn produced an authorization letter—known as a “get out of jail free card” in pen-testing circles. After a deputy called one or more of the state court officials listed in the letter and got confirmation it was legit, the deputies said they were satisfied the men were authorized to be in the building. DeMercurio and Wynn spent the next 10 or 20 minutes telling what their attorney in a court document called “war stories” to deputies who had asked about the type of work they do.
When Sheriff Leonard arrived, the tone suddenly changed. He said the Dallas County Courthouse was under his jurisdiction and he hadn’t authorized any such intrusion. Leonard had the men arrested, and in the days and weeks to come, he made numerous remarks alleging the men violated the law. A couple months after the incident, he told me that surveillance video from that night showed “they were crouched down like turkeys peeking over the balcony” when deputies were responding. I published a much more detailed account of the event here. Eventually, all charges were dismissed.
DeMercurio and Wynn sued Dallas County and Leonard for false arrest, abuse of process, defamation, intentional infliction of emotional distress, and malicious prosecution. The case dragged on for years. Last Thursday, five days before a trial was scheduled to begin in the case, Dallas County officials agreed to pay $600,000 to settle the case.
It’s hard to overstate the financial, emotional, and professional stresses that result when someone is locked up and repeatedly accused of criminal activity for performing authorized work that’s clearly in the public interest. DeMercurio has now started his own firm, Kaiju Security.
“The settlement confirms what we have said from the beginning: our work was authorized, professional, and done in the public interest,” DeMercurio said. “What happened to us never should have happened. Being arrested for doing the job we were hired to do turned our lives upside down and damaged reputations we spent years building.”
bleepingcomputer.com
By Lawrence Abrams
January 28, 2026
The FBI has seized the notorious RAMP cybercrime forum, a platform used to advertise a wide range of malware and hacking services, and one of the few remaining forums that openly allowed the promotion of ransomware operations.
Both the forum's Tor site and its clearnet domain, ramp4u[.]io, now display a seizure notice stating, "The Federal Bureau of Investigation has seized RAMP."
"This action has been taken in coordination with the United States Attorney's Office for the Southern District of Florida and the Computer Crime and Intellectual Property Section of the Department of Justice," the notice reads.
The seizure banner also appears to taunt the forum's operators by displaying RAMP's own slogan: "THE ONLY PLACE RANSOMWARE ALLOWED!," followed by a winking Masha from the popular Russian "Masha and the Bear" kid's cartoon.
While there has been no official announcement by law enforcement regarding this seizure, the domain name servers have now been switched to those used by the FBI when seizing domains:
Name Server: ns1.fbi.seized.gov
Name Server: ns2.fbi.seized.gov
If so, law enforcement now has access to a significant amount of data tied to the forum's users, including email addresses, IP addresses, private messages, and other potentially incriminating information.
For threat actors who failed to follow proper operational security (opsec), this could lead to identification and arrests.
In a forum post to the XSS hacking forum, one of the alleged former RAMP operators known as "Stallman" confirmed the seizure.
"I regret to inform you that law enforcement has seized control of the Ramp forum," reads the translated forum post.
"This event has destroyed years of my work building the freest forum in the world, and while I hoped this day would never come, I always knew in my heart it was possible. It's a risk we all take.
BleepingComputer contacted the FBI with question regarding the seizure but they declined to comment.
The RAMP cybercrime forum
The RAMP cybercrime forum launched in July 2021, following the banning of the promotion of ransomware operations by popular Russian-speaking Exploit and XSS hacking forums.
This ban was due to heightened pressure from Western law enforcement following the DarkSide ransomware attack on Colonial Pipeline.
Exploit banning ransomware promotion
Exploit banning ransomware promotion
In July 2021, a new Russian-speaking forum called RAMP launched, promoting itself as one of the last remaining places where ransomware could be openly promoted. This led to multiple ransomware gangs using the forum to promote their operations, recruit affiliates, and buy and sell access to networks.
RAMP was launched by a threat actor known as Orange, who also operated under the aliases Wazawaka and BorisElcin.
Orange was previously the administrator of the Babuk ransomware operation, which shut down after its ransomware attack on the D.C. Metropolitan Police Department.
Internal disputes allegedly erupted within the group over whether stolen law enforcement data should be publicly leaked, and after the data was leaked, the group splintered.
Following the split, Orange launched the RAMP forum on a Tor onion domain that Babuk had previously used.
Soon after its launch, RAMP experienced distributed denial-of-service (DDoS) attacks that disrupted its availability. Orange publicly blamed former Babuk partners for the attacks, though the previous members denied responsibility to BleepingComputer, stating they had no interest in the forum.
The individual behind the Orange and Wazawaka aliases was later publicly identified by cybersecurity journalist Brian Krebs as Russian national Mikhail Matveev.
In an interview with Recorded Future's Dmitry Smilyanets, Matveev confirmed that he previously operated under the alias Orange and that he created RAMP using the former Babuk onion domain.
Matveev explained that the forum was initially created to repurpose Babuk's existing infrastructure and traffic. He claimed that RAMP ultimately generated no profit and was subjected to constant DDoS attacks, which led him to step away from managing it after it gained popularity.
In 2023, Matveev was indicted by the U.S. Department of Justice for his involvement in multiple ransomware operations, including Babuk, LockBit, and Hive, which targeted U.S. healthcare organizations, law enforcement agencies, and other critical infrastructure.
He was also sanctioned by the U.S. Treasury's Office of Foreign Assets Control and placed on the FBI's most-wanted list, with the U.S. State Department offering a reward of up to $10 million for information leading to his arrest or conviction.
politico.eu
January 28, 2026 4:16 pm CET
By Sam Clark
Europe is investing heavily in security but not enough in cyber, bloc’s cyber agency chief says.
BRUSSELS — The European Union urgently needs to rethink its cyber defenses as it faces an unprecedented volume and pace of attacks, the head of the bloc's cyber agency told POLITICO.
“We are losing this game,” said Juhan Lepassaar, the executive director of the EU's Agency for Cybersecurity (ENISA). “We are not catching up, we're losing this game, and we're losing massively.”
Europe has been pummeled with damaging cyberattacks in recent years, which have shut down major airports, disrupted elections and crippled hospitals. Just in the past week, cyber experts pinned an attempted attack on Poland’s power grid on Russia, and the president of Germany's Bundesbank said in an interview that the central bank faced over 5,000 cyberattacks every minute.
The cyber threats come as Europe deals with war on its eastern border, China's growing power over the global technology market and an increasingly unfriendly United States. In the past year, European countries have pledged to boost defense spending and the EU has shaped many of its policies around security and self-reliance.
Investing in security services but not in cybersecurity creates a “loophole,” Lepassaar warned.
The agency chief's warnings come one week after the European Commission presented a proposal to overhaul its Cybersecurity Act legislation. The bill would allow the EU's cyber agency, based in Athens, to expand its personnel by 118 full-time staff and to spend more on operational costs. The agency now has approximately 150 staff.
But Lepassaar lamented that wasn't nearly enough. He drew a comparison to EU police agency Europol and EU border agency Frontex, which have more than 1,400 and more than 2,500 staff respectively, with more resources on the way.
“We just don't need an upgrade. We need a rethink," he said. “Doubling the capacity is the absolute minimum."
The European Union has fallen short in cyber investment for years and it needs to build an entire new EU-level cyber infrastructure, the agency chief said.
Europe needs to 'step up'
When Lepassaar took charge of the agency in 2019, Europe was in a “totally different environment," he said.
In 2019, approximately 17,000 software flaws were added to a global database logging such vulnerabilities; in 2025, more than 41,000 were added, he said. And in 2019, it took hackers approximately two months on average to use those flaws in an attack, but now it took only one day on average, he said, citing industry and government data.
The cybersecurity industry has warned it now takes hackers far less time to exploit glitches, in part because of AI.
Just as Europe has pledged to take greater responsibility for its physical security, it must do the same in cyberspace, said Lepassaar — an Estonian who previously headed the office of European Commissioner for Digital Affairs Andrus Ansip.
In areas such as cataloging and managing cyber vulnerabilities — an obscure but critical area of cybersecurity — the only organizations systematically working on the problem have long been U.S.-based, Lepassaar said. “We all reap the benefits for free … it's needed that we now step up and take our fair share of this.”
MITRE, a U.S.-based nonprofit group, manages a global database of cyber flaws on which the entire industry relies. It nearly lost funding last year before being bailed out by the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
European startups and small businesses benefit from a system whose security is “backed up only by MITRE and CISA,” Lepassaar said.
ENISA has started operating a database of cyber flaws — though this was planned before MITRE nearly lost its funding — and recently took on a key technical role that further embeds it at the core of global cybersecurity infrastructure.
“It's part of our obligation as Europe to take our fair share from this,” Lepassaar said.
cnn.com
By
Sean Lyngaas
PUBLISHED Jan 28, 2026, 6:00 AM ET
Weeks before the 2024 election, American military hackers carried out a secret operation to disrupt the work of Russian trolls spewing false information at US voters.
Weeks before the 2024 election, American military hackers carried out a secret operation to disrupt the work of Russian trolls spewing false information at US voters.
From their perch at Cyber Command at Fort Meade, Maryland, the military hackers took aim at the computer servers and key personnel of at least two Russian companies that were covertly pumping out the propaganda, according to multiple sources briefed on the operation.
The trolls were trying to influence election results in six swing states by publishing fictitious news stories that attacked American politicians who supported Ukraine. One of the companies had held “strategy meetings” with Kremlin officials on how to covertly influence US voters, according to an FBI affidavit.
In one case, the Cyber Command operatives planned to knock offline computer servers based in a European country that one of the Russian companies used, the sources said. Though the Russian trolls continued to create content through Election Day, when President Donald Trump defeated then-Vice President Kamala Harris, one source briefed on the hacking effort said it successfully slowed down the Russians’ operations.
The hacking campaign, which hasn’t been previously reported, was one of multiple US cyber operations against Russian and Iranian groups aimed at blunting foreign influence on the 2024 election. It was part of a broader US government effort involving the FBI, the Department of Homeland Security, and other intelligence and security agencies that exposed and disrupted foreign meddling.
But a year into a second Trump administration, many of the government centers previously tasked with repelling foreign influence operations have been disbanded or downsized — and local election officials are preparing to face a continued onslaught of foreign influence operations largely on their own.
The administration has shut down foreign-influence-focused centers at the Office of the Director of National Intelligence, the FBI and the State Department that helped warn the public that China, Russia and Iran’s spy services were targeting Americans with election-related disinformation. The Department of Homeland Security has also slashed its election security teams, which pass intelligence to local election offices and help them defend against cyber threats.
The Trump administration has accused those federal programs of censoring Americans and conducting domestic interference in US elections.
While military cyber operations are still an option, there is widespread concern among current and former officials that the US government’s willingness to combat foreign efforts to shape elections has waned. The cuts to election security programs risk causing an exodus of expertise at US intelligence and security agencies that was built up over nearly a decade.
The cuts come even as the US intelligence community found, in a threat assessment released by the Office of the Director of National Intelligence Tulsi Gabbard, that foreign powers will continue to try to influence US elections.
“I find it devastating and deeply alarming for our national security,” said Mike Moser, a former election security specialist at DHS’ Cybersecurity and Infrastructure Security Agency, who resigned after the agency froze its election work last year. “To see those partnerships unilaterally dismantled is a tragedy. We are losing the human and technological infrastructure that protects our democracy.”
Foreign influence and propaganda tend to increase in years when general elections or midterms are held. But even in the off-year of 2025, groups tied to authoritarian regimes were weighing in on races like the New York City mayoral election.
Chinese state-owned media accounts repeatedly amplified Trump’s attacks on Zohran Mamdani, the Democrat who ended up winning New York’s mayoral election, according to disinformation-tracking firm Alethea Group. Some pro-Iranian influencer accounts, meanwhile, pivoted to attacking Mamdani as a “Zionist apologist” in October after Mamdani made overtures to Jewish voters in New York, Alethea said.
But by the time that election was held in November of last year, the cuts to election protection efforts had already taken hold.
The 2026 midterms could be a litmus test for how foreign adversaries respond to a US government that is less forceful in publicly combating influence operations.
“We’ve not had a disaster take place because, in many ways, the procedures and policies and tools set up during the first Trump administration helped keep us safe,” Sen. Mark Warner of Virginia, the top Democrat on the Senate Intelligence Committee, told CNN. “We’re going into a (2026) election cycle with our guard down.”
Multiple government agencies and processes for countering foreign influence that are now being cut were set up during Trump’s first term, including a dedicated team at the FBI that tracked counterintelligence threats to elections.
In April, Trump fired Gen. Tim Haugh, the head of Cyber Command and the National Security Agency ,who had led numerous operations countering Russian meddling.
“The foundation that we built to protect our electoral process was driven by the first Trump administration’s direct guidance to NSA and Cyber Command — the focus that they put at CISA and FBI to counter foreign influence and then any potential hacking activity targeting our electoral process,” Haugh told CNN in his first interview on the subject since being fired. He declined to comment on any Cyber Command operations during the 2024 election.
Far-right activist and Trump confidant Laura Loomer had pushed for Haugh’s removal, publicly calling him “disloyal” to Trump due to the fact that he had served alongside former Chairman of the Joint Chiefs of Staff Gen. Mark Milley. Haugh has denied the allegation.
Nearly 10 years after Russian agents tried to influence the 2016 election through hacking and disinformation, Americans are arguably more susceptible to covert propaganda than ever, according to experts.
“This is just an enormous set of vulnerability for our nation,” Haugh said. “We have shown a decreasing ability to discern truth from fiction as a society.”
Cyber Command declined to comment for this story. The NSA referred to questions to ODNI.
Cuts to federal funding for cybersecurity services for election offices have forced those offices to scramble for alternative funds, said Paul Lux, a Republican who is the top election official for Okaloosa County, Florida.
Election officials are also unsure whether the FBI and CISA will continue to hold classified briefings for them on threats to elections, something those agencies have done for years.
The briefings were “illuminating,” Lux said. “They allowed me to personally connect some dots” by making the threats more tangible, he added.
The FBI had no comment when asked by CNN whether the briefings would continue.
A CISA spokesperson did not directly answer a question about the briefings but provided a statement that read, in part, “since January 2025, CISA has issued 38 joint cybersecurity advisories with law enforcement and international partners and provided threat intelligence guidance to combat evolving threats and protect critical infrastructure, and we will continue to ensure election officials remain informed of any emerging issues going forward.”
With or without federal security and intelligence support, election officials will be ready to do their job, Lux said. “Our mission doesn’t change. (It is to) provide safe, free and fair elections with as much transparency as possible.”
Dismantling offices
The same type of Russian trolls that Cyber Command took aim at in the 2024 election continue to churn out content. A Russian covert influence network focused on undermining Western support for Ukraine has set up at least 200 fake websites since last March to target audiences in the US, France and elsewhere, according to the cyber intelligence firm Recorded Future.
The concern among more than a dozen current and former officials who spoke to CNN is that the Trump administration took a hatchet, rather than a scalpel, to federal programs aimed at countering the type of influence operation that Recorded Future uncovered. The programs could have been downsized, rather than abruptly canceled, in a way that met the Trump administration’s goal of cutting bureaucratic red tape, the sources said.
The State Department’s Global Engagement Center, which focused on combating foreign propaganda, posted a massive US intelligence dump on Russian meddling prior to the 2024 election. (The Trump administration formally shut down the State Department center last April after Congress let its funding expire.)
ODNI’s Foreign Malign Influence Center, which was set up under then-President Joe Biden, turned intelligence on Russian AI-generated videos posted on X purporting to show voter fraud into public statements in the days before Election Day in 2024.
Without that center, it’s unclear which government agency would warn the public of such efforts.
In announcing the Foreign Malign Influence Center’s closure in August, ODNI said the center was “redundant” and that other elements of the intelligence community perform some of the same work. Some Republican lawmakers agree.
“I am confident ODNI and the (intelligence community) will remain poised to assess and warn policymakers of covert and overt foreign influence operations targeting (US government) policies and manipulating public opinion,” said Rick Crawford, an Arkansas Republican who chairs the House intelligence committee, in a statement to CNN.
But Haugh, who spent more than three decades in the Air Force, said the cuts at various federal agencies mean that the US government has fewer levers to pull to punish or expose foreign influence operations.
ODNI did not answer a detailed list of questions on how the agency plans to counter foreign influence, including whether ODNI has a top intelligence specialist dedicated to the issue, as it has had in years past. An ODNI spokesperson referred CNN to a previous agency statement saying the Foreign Malign Influence Center’s core functions would be moved to other parts of ODNI.
Gabbard said in August that ODNI would cut its workforce by over 40% and save taxpayers hundreds of millions of dollars in the process.
Trump’s new pick to replace Haugh and lead the NSA and Cyber Command, Lt. Gen. Joshua Rudd, pledged to protect the electoral process from foreign interference during his Senate confirmation hearing.
“Any foreign attempt to undermine the American process of democracy, and at the center of that is our electoral process, as you all know far better than I do, has got to be safeguarded,” Rudd told senators on January 15.
A sensitive subject
The FBI’s election security posture today has been shaped by Trump’s grievances over the bureau’s investigation into his 2016 campaign’s contacts with Russia and his false claims of a stolen 2020 election.
As president-elect in 2017, Trump was incsensed when then-FBI Director James Comey briefed him on the existence of a salacious, and later debunked, dossier about Trump gathered by a former British intelligence agent. Many see a through line between that day and the FBI’s current counterintelligence posture for elections.
“You could argue that where we are today happened because Comey briefed Trump, Trump got embarrassed and the rest is one big revenge tour,” said a former senior FBI counterintelligence official who served during the first Trump term and Biden’s term. They spoke on the condition of anonymity out of fear of retaliation from the Trump administration
If and when US officials speak publicly on foreign efforts to shape US democracy is an intensely delicate subject in the second Trump administration. Trump has bristled at US intelligence findings that Russia tried to influence the 2016 election in his favor, while Democrats have often exaggerated those findings to attack Trump.
A year after FBI agents were caught off-guard in 2016 by the scale of Russian hacking and propaganda aimed at voters, the bureau set up a Foreign Influence Task Force (FITF), a team of about 30 people to focus on the threat of foreign meddling. The task force passed intelligence about what foreign spies were doing on Facebook and Twitter to those social media platforms.
In February 2025, Attorney General Pam Bondi dissolved FITF, citing the need to “free resources to address more pressing priorities, and end risks of further weaponization and abuses of prosecutorial discretion.”
The impact of Bondi’s memo goes beyond FITF, according to current and former FBI officials. It’s a disincentive for any FBI agent to take up a case involving Russian election influence.
“Say the Russians influence the election again — I’m worried that we won’t know it until after the fact,” the ex-FBI official said.
In a statement to CNN, the FBI said it continues to pursue cases related to “foreign influence efforts by adversarial nations.”
“The Counterintelligence Division and our field offices work together to defend the homeland against all foreign influence efforts, including any attempts at election interference,” the FBI said.
The Cyber Command operation against Russian trolls in 2024 followed the Justice Department’s public disclosure that it had seized internet domains used by the trolls. US officials saw the hacking as an added, clandestine counter-punch to complement the law enforcement seizure. Under the second Trump administration, the public may not know if the Justice Department takes such an action leading up to an election.
After Trump won the 2024 election, a planning document used by his transition team and reviewed by CNN lamented a “surge in politicization and meddling in US politics by US intelligence agencies,” and said the Justice Department and the FBI should revisit how they communicate threats to the public, “e.g. in announcing indictments of foreign hackers or getting involved in threats to election security in partisan ways.”
Working with local election offices
Cyber Command, the NSA and other parts of the US intelligence community began playing a more prominent role in the cyber defense of US elections after the Russian intervention in 2016. The federal Cybersecurity and Infrastructure Security Agency emerged as a conduit between those powerful military and spy agencies and local election offices, building trust with those offices and passing on intelligence on foreign threats. Trump signed a law establishing CISA as a part of the Department of Homeland Security during his first term.
But Trump and his top advisers never forgave CISA’s leadership for saying the 2020 election was secure. They accused CISA of “censoring” conservative voices when in the first Trump term, at the urging of Republican and Democratic election officials, the agency flagged to social media platforms posts that spread false information about voting. The second Trump administration last year paused all of CISA’s election security work and reassigned the agency’s election specialists or put them on administrative leave
CISA spokespeople say the agency still offers some cybersecurity services to election offices, as it does other sectors. But election officials say the impact from the cuts to so many offices, including CISA, is clear.
A day after the US bombed Iranian nuclear facilities in June, pro-Iranian hackers breached an Arizona state election website and replaced candidates’ photos with an image of Iran’s Supreme Leader Ayatollah Ali Khamenei. It had echoes of 2020, when, according to the FBI, Iranian hackers set up a website with violent threats to election officials.
But while CISA was central to the federal response to the 2020 incident — and communicated proactively with election officials then — Arizona election officials now say they are not getting the same level of collaboration with the agency. In a statement to CNN, a CISA official said the agency “worked with Arizona and provided direct assistance to support their response efforts.”
The cuts to CISA have “drastically reduced national visibility into foreign threats and increased the potential for security failures,” Moser, the former CISA election security official, told CNN. “While state and local officials take great care to secure elections, now they are effectively being siloed and expected to combat sophisticated nation-state adversaries with severely limited federal support.”
A CISA spokesperson said: “Every day, DHS and CISA are providing our partners the most capable and timely threat intelligence, expertise, no-cost tools and resources these partners need to defend against risks.”
Foreign powers, with the help of artificial intelligence, will continue to target American voters with disinformation, the ODNI said in its annual worldwide threat assessment published in March.
“Reinforcing doubt in the integrity of the U.S. electoral system achieves one of (Russia’s) core objectives,” the intelligence report says.
China, in particular, is making alarming leaps in AI-powered influence activity, according to researchers at Vanderbilt University’s Institute of National Security. In August, the institute published documents leaked from a Chinese firm that appear to show it targeting the 2024 Taiwan election with a wave of social media posts. The Chinese firm has also put together profiles on at least 117 members of Congress and more than 2,000 American political figures and “thought leaders,” according to the research.
“This election cycle, foreign governments will be able to use AI tools to essentially whisper in the ear of anyone they target,” said Emerson Brooking, a former Pentagon cyber policy adviser who now studies influence operations at the Atlantic Council’s Digital Forensic Research Lab. “And the Trump team isn’t just unprepared; they’ve deliberately knocked down a lot of the defenses built over the past eight years.”
Last year, Gabbard and Iowa GOP Sen. Chuck Grassley released declassified intelligence documents related to the FBI and intelligence community’s probes of Russian influence on the 2016 election. Contrary to Gabbard’s public claims, the documents do not show the probes were a hoax. But they do show the lengths to which Russia’s SVR foreign intelligence service was willing to go either to impress their Kremlin bosses or to play mind games with US officials analyzing the hack, according to Michael van Landingham, a former CIA analyst, and Alex Orleans, a counterintelligence researcher.
That Americans are still arguing about Russia’s 2016 influence operations 10 years later is exactly what Russian intelligence hoped for, they said.
“SVR officers are definitely dining out on the fact that our national discourse still can’t fully escape the riptides of 2016,” Orleans told CNN.
CNN’s Katie Bo Lillis and Evan Perez contributed to this report.
politico.com
By John Sakellariadis
01/27/2026 03:30 PM EST
The interim director of the Cybersecurity and Infrastructure Security Agency triggered an internal cybersecurity warning with the uploads — and a DHS-level damage assessment.
The interim head of the country’s cyber defense agency uploaded sensitive contracting documents into a public version of ChatGPT last summer, triggering multiple automated security warnings that are meant to stop the theft or unintentional disclosure of government material from federal networks, according to four Department of Homeland Security officials with knowledge of the incident.
The apparent misstep from Madhu Gottumukkala was especially noteworthy because the acting director of the Cybersecurity and Infrastructure Security Agency had requested special permission from CISA’s Office of the Chief Information Officer to use the popular AI tool soon after arriving at the agency this May, three of the officials said. The app was blocked for other DHS employees at the time.
None of the files Gottumukkala plugged into ChatGPT were classified, according to the four officials, each of whom was granted anonymity for fear of retribution. But the material included CISA contracting documents marked “for official use only,” a government designation for information that is considered sensitive and not for public release.
Cybersecurity sensors at CISA flagged the uploads this past August, said the four officials. One official specified there were multiple such warnings in the first week of August alone. Senior officials at DHS subsequently led an internal review to assess if there had been any harm to government security from the exposures, according to two of the four officials.
It is not clear what the review concluded.
In an emailed statement, CISA’s Director of Public Affairs Marci McCarthy said Gottumukkala “was granted permission to use ChatGPT with DHS controls in place,” and that “this use was short-term and limited.” McCarthy added that the agency was committed to “harnessing AI and other cutting-edge technologies to drive government modernization and deliver on” Trump’s executive order removing barriers to America’s leadership in AI.
The email also appeared to dispute the timeline of POLITICO’s reporting: “Acting Director Dr. Madhu Gottumukkala last used ChatGPT in mid-July 2025 under an authorized temporary exception granted to some employees. CISA’s security posture remains to block access to ChatGPT by default unless granted an exception.”
Gottumukkala is currently the senior-most political official at CISA, an agency tasked with securing federal networks against sophisticated, state-backed hackers from adversarial nations, including Russia and China.
Any material uploaded into the public version of ChatGPT that Gottumukkala was using is shared with ChatGPT-owner OpenAI, meaning it can be used to help answer prompts from other users of the app. OpenAI has said the app has more than 700 million total active users.
Other AI tools now approved for use by DHS employees — such as DHS’s self-built AI-powered chatbot, DHSChat — are configured to prevent queries or documents input into them from leaving federal networks.
Gottumukkala “forced CISA’s hand into making them give him ChatGPT, and then he abused it,” said the first official.
All federal officials are trained on the proper handling of sensitive documents. According to DHS policy, security officials are also supposed to investigate the “cause and affect” of any exposure of official use documents, and determine the “appropriateness” of any administrative or disciplinary action. Depending on the circumstances, those could range from things like mandatory retraining or a formal warning, to more serious measures, like the suspension or revocation of a security clearance, said one of the four officials.
After DHS detected the activity, Gottumukkala spoke with senior officials at DHS to review what he uploaded into ChatGPT, said two of the four officials. DHS’s then-acting general counsel, Joseph Mazzara, was involved in the effort to assess any potential harm to the department, according to the first official. Antoine McCord, DHS’s chief information officer, was also involved, according to a second official.
Gottumukkala also had meetings this August with CISA’s chief information officer, Robert Costello, and its chief counsel, Spencer Fisher, about the incident and the proper handling of for official use only material, the four people said.
Mazzara and Costello did not respond to requests for comment. McCord and Fisher could not be reached for comment.
Gottumukkala has helmed the agency in an acting capacity since May, when he was appointed by DHS Secretary Kristi Noem as its deputy director. Donald Trump’s nominee to head CISA, DHS special adviser Sean Plankey, was blocked last year by Sen. Rick Scott (R-Fla.) over a Coast Guard shipbuilding contract. A date for his new confirmation hearing has not been set.
Gottumukkala’s tenure atop the agency has not been smooth — and this would not be his first security-related incident.
At least six career staff were placed on leave this summer after Gottumukkala failed a counterintelligence polygraph exam that he pushed to take, as POLITICO first reported. DHS has called the polygraph “unsanctioned.” Asked during Congressional testimony last week if he was “aware” of the failed test, Gottumukkala twice told Rep. Bennie Thompson (D-Miss.) that he did not “accept the premise of that characterization.”
And last week, Gottumukkala tried to oust Costello, CISA’s CIO, before other political appointees at the agency intervened to block the move.
ctrlaltnod.com
Emanuel DE ALMEIDA
January 29, 2026
SonicWall cloud breach led to ransomware attack affecting 74+ US banks and 400,000+ individuals via Marquis Software Solutions compromise.
TL;DR
Marquis Software Solutions suffered a ransomware attack on August 14, 2025, affecting over 74 U.S. banks and credit unions and compromising data of 400,000+ individuals
Investigation revealed attackers exploited configuration data stolen from SonicWall's cloud backup service breach in September 2025
State-sponsored hackers accessed SonicWall's MySonicWall cloud service via API calls, initially affecting "less than 5%" but later confirmed to impact all cloud backup customers
The attack bypassed Marquis's firewall defenses using stolen configuration files rather than exploiting CVE-2024-40766 as initially suspected
Marquis is pursuing legal recourse against SonicWall and evaluating options to recover expenses from the incident
Verified Timeline
August 14, 2025 — Marquis Software Solutions detected suspicious network activity and confirmed ransomware attack, initiated investigation with cybersecurity experts
September 17, 2025 — SonicWall disclosed security incident involving unauthorized access to MySonicWall cloud backup files, initially reporting less than 5% of firewall customers affected
October 9, 2025 — SonicWall updated disclosure, confirming all customers using cloud backup service were impacted
November 5, 2025 — SonicWall attributed breach to state-sponsored hackers who accessed cloud backup files via API call
December 3, 2025 — Marquis began notifying affected banks and credit unions about data breach from August ransomware attack
January 29, 2026 — Marquis publicly attributed ransomware attack to exploitation of configuration data from SonicWall's cloud backup breach
What We Know vs. What's Unclear
Confirmed
State-sponsored hackers breached SonicWall's MySonicWall cloud service in September 2025
All SonicWall customers using cloud backup service were affected, not just 5% as initially reported
Attackers accessed firewall configuration backup files via API calls
Marquis ransomware attack on August 14, 2025 affected 74+ U.S. financial institutions
Over 400,000 individuals had personal information compromised
Attackers used stolen SonicWall configuration data to circumvent Marquis firewall defenses
CVE-2024-40766 was not the primary attack vector as initially suspected
Unclear or Unconfirmed
Identity of the state-sponsored threat group behind SonicWall breach
Specific ransomware family used in Marquis attack
Exact method attackers used configuration data to bypass security controls
Whether the same threat actors were responsible for both SonicWall breach and Marquis attack
Full scope of additional organizations potentially compromised using stolen SonicWall data
Timeline between SonicWall data theft and Marquis attack initiation
Who Is Affected
This interconnected breach affected multiple stakeholder groups across the financial services sector:
Primary Victims: Marquis Software Solutions, a Texas-based financial services provider, serves as the central victim of the ransomware attack that leveraged stolen SonicWall configuration data.
Financial Institutions: Over 74 U.S. banks and credit unions that utilize Marquis services experienced data exposure. These institutions face potential regulatory scrutiny, customer trust erosion, and compliance obligations under financial data protection regulations.
Individual Consumers: More than 400,000 individuals associated with affected financial institutions had sensitive personal information compromised, including Social Security numbers, Taxpayer Identification Numbers, financial account details, and personal identifiers.
SonicWall Customers: All customers using SonicWall's MySonicWall cloud backup service experienced configuration file exposure, potentially enabling similar attacks against other organizations using compromised firewall settings.
Broader Impact: The incident demonstrates supply chain vulnerability risks, where third-party service breaches can enable downstream attacks against customers who may have maintained otherwise secure configurations.
Technical Details
SonicWall Breach Vector: State-sponsored hackers accessed SonicWall's MySonicWall cloud service through API calls, successfully extracting firewall configuration backup files stored in the cloud environment. The breach occurred in September 2025, with SonicWall initially underestimating the scope before confirming all cloud backup customers were affected.
CVE-2024-40766 Context: Initially suspected as the attack vector, CVE-2024-40766 represents an improper access control vulnerability in SonicWall's SSLVPN feature that allows authentication bypass. This critical vulnerability was patched by SonicWall in August 2024, but investigators determined it was not the primary attack method used against Marquis.
Attack Methodology: Rather than exploiting unpatched vulnerabilities, attackers leveraged configuration data stolen from SonicWall's cloud service to understand and circumvent Marquis's firewall defenses. The specific technical methods used to weaponize configuration files have not been disclosed.
Ransomware Details: The specific ransomware family deployed against Marquis has not been publicly disclosed. The incident reflects broader trends where ransomware groups adopt new tactics to maximize impact and evade traditional security measures. Technical indicators of compromise and malware signatures remain unavailable in public reporting.
CVSS Scoring: CVE-2024-40766 maintains critical severity ratings, though specific CVSS scores were not confirmed in available sources. The vulnerability's critical classification reflects its potential for authentication bypass in SSLVPN implementations.
Detection & Validation
Organizations can implement several detection strategies to identify potential exploitation of stolen configuration data:
Firewall Configuration Monitoring: Implement continuous monitoring of firewall rule changes, VPN configuration modifications, and access control list updates. Establish alerts for unauthorized configuration changes or suspicious administrative access patterns.
Network Traffic Analysis: Monitor for unusual network traffic patterns that might indicate attackers leveraging knowledge of internal network configurations. Focus on connections to previously unknown external IP addresses or unexpected internal network traversal.
Authentication Log Review: Examine VPN and administrative access logs for successful authentication attempts using compromised credentials or from unexpected geographic locations. Look for authentication events occurring outside normal business hours.
API Activity Monitoring: For organizations using cloud-based firewall management services, monitor API call patterns and authenticate all management interface access. Implement alerting for bulk configuration downloads or unusual API usage patterns.
Endpoint Detection: Deploy endpoint detection and response tools to identify lateral movement techniques that attackers might employ after gaining initial access through compromised firewall configurations.
Specific IOCs: Specific indicators of compromise related to this incident have not been publicly disclosed by affected organizations or security vendors.
Mitigation & Hardening
Immediate Credential Reset: Reset all credentials, API keys, and authentication tokens used by users, VPN accounts, and administrative services. This includes service accounts and automated system credentials that may have been exposed in configuration files.
Firewall Configuration Audit: Conduct comprehensive review of current firewall rules, VPN configurations, and access control policies. Compare current settings against known-good baselines to identify unauthorized modifications.
Multi-Factor Authentication Implementation: Deploy MFA across all administrative interfaces, VPN connections, and cloud management portals. Prioritize hardware-based tokens or certificate-based authentication for high-privilege accounts.
Network Segmentation Review: Reassess network segmentation strategies to limit potential lateral movement if perimeter defenses are compromised. Implement zero-trust principles for internal network communications.
Cloud Service Security Assessment: Evaluate security posture of all third-party cloud services, particularly those handling configuration data or backup files. Implement additional encryption and access controls where possible.
Patch Management Acceleration: Ensure all network security devices receive priority patching, particularly SonicWall devices that should be updated to address CVE-2024-40766 and other known vulnerabilities.
Monitoring Enhancement: Deploy enhanced network monitoring tools to detect configuration-based attacks and unusual administrative activity. Establish baselines for normal network behavior patterns.
Incident Response Planning: Update incident response procedures to address supply chain compromise scenarios where third-party service breaches enable downstream attacks.
FAQ
How did attackers use SonicWall configuration data to compromise Marquis?
According to Marquis's statement, attackers leveraged configuration data extracted from SonicWall's cloud backup breach to circumvent their firewall defenses. The stolen configuration files likely contained network topology information, firewall rules, and security policies that attackers used to identify weaknesses and craft targeted bypass techniques. Specific technical details of how configuration data was weaponized have not been publicly disclosed.
Were SonicWall customers who don't use cloud backup affected?
No, the SonicWall breach specifically affected customers using the MySonicWall cloud backup service. Organizations that maintain local-only firewall configurations and don't utilize SonicWall's cloud backup features were not directly impacted by the configuration file theft. However, all SonicWall customers should ensure they have applied patches for CVE-2024-40766 and other known vulnerabilities.
What legal action is Marquis taking against SonicWall?
Marquis has indicated they are evaluating options with respect to SonicWall, including seeking recoupment of expenses incurred due to the incident. The company has not specified whether formal legal proceedings have been initiated, but they are exploring potential avenues for recovering costs related to the breach investigation, customer notification, and remediation efforts.
How can organizations protect against similar supply chain attacks?
Organizations should implement multiple defensive layers including vendor risk assessments, contractual security requirements for third-party services, monitoring of cloud service provider security bulletins, and incident response procedures that account for supply chain compromises. Recent incidents like Ingram Micro's ransomware attack and ransomware attacks on major firms demonstrate the importance of maintaining defense-in-depth strategies that ensure single points of failure in vendor services don't compromise entire security postures. Organizations should also stay informed about emerging threats, such as new ransomware techniques being adopted by threat actors.
| CyberScoop
cyberscoop.com/
By
Matt Kapko
January 22, 2026
Ianis Antropenko, a Russian national living in California, admitted to committing ransomware attacks against at least 50 victims. He faces up to 25 years in jail.
Russian national pleaded guilty to leading a ransomware conspiracy that targeted at least 50 victims during a four-year period ending in August 2022.
Ianis Aleksandrovich Antropenko began participating in ransomware attacks before moving to the United States, but conducted many of his crimes while living in Florida and California, where he’s been out on bond enjoying rare leniency since his arrest in 2024.
Antropenko pleaded guilty in the U.S. District Court for the Northern District of Texas earlier this month to conspiracy to commit money laundering and conspiracy to commit computer fraud and abuse. He faces up to 25 years in jail, fines up to $750,000 and is ordered to pay restitution to his victims and forfeit property.
Federal prosecutors reached a plea agreement with Antropenko after a years-long investigation, closing one of the more unusual cases against a Russian ransomware operator who committed many of his crimes while living in the U.S.
While most cybercriminals, especially those involved in ransomware, are held in jail pending trial because of a flight risk, Antropenko was granted bail the day of his arrest.
This rare flash of deferment in a case involving a prolific cybercriminal is even more shocking considering his multiple run-ins with police since then. Antropenko violated conditions for his pretrial release at least three times in a four-month period last year, including two arrests in Southern California involving dangerous behavior while under the influence of drugs and alcohol.
As part of his plea agreement, Antropenko recognized that pleading guilty could impact his immigration status since the crimes he committed are removable offenses.
Court records don’t indicate if Antropenko has been detained pending sentencing, and his sentencing hasn’t been scheduled. His attorney and federal prosecutors working on his case did not respond to requests for comment.
Antropenko admitted to leading the ransomware conspiracy with the aid of multiple co-conspirators, including some who lived outside the U.S.
His ex-wife, Valeriia Bednarchik, was previously implicated by the FBI and prosecutors as one of his alleged co-conspirators involved in the laundering of ransomware proceeds.
FBI investigators traced Antropenko’s activities via accounts he held at Proton Mail, PayPal and Bank of America, and accounts he and Bednarchik controlled at Binance and Apple. In Bednarchik’s iCloud account, agents found a seed phrase for a crypto wallet that had received over 40 Bitcoin from Antropenko’s accounts, as well as evidence she had agreed to safeguard a disguised copy of this phrase so the funds could be accessed if Antropenko became unavailable. Her account also contained joint tax returns with Antropenko and photos showing large amounts of U.S. cash.
Bednarchik, who also lives in Southern California, has been identified as Antropenko’s unnamed co-conspirator through court documents and public records. While authorities previously indicated they plan to bring charges against her, no cases are currently pending.
Antropenko, who previously pleaded not guilty to the charges in October 2025, used multiple ransomware variants to commit attacks, including Zeppelin and GlobeImposter. The ransomware operation he led caused losses of at least $1.5 million to victims, according to court records.
Yet, the spoils of his crimes appear to be much greater. The Justice Department seized more than $2.8 million in cryptocurrency, nearly $71,000 in cash and two luxury vehicles from Antropenko in February 2024. Authorities seized an additional $595,000 in cryptocurrency from a wallet Antropenko owned in July 2025.
pcmag.com
Michael Kan
Senior Reporter
UPDATE 1/24: The hacking group World Leaks claims to have stolen 1.4TB of data from Nike, according to a post on the gang's website.
The stolen data covers 188,000 files. But a cursory look suggests that World Leaks looted internal files about Nike's clothing manufacturing business, rather than any customer or employee information. For example, a few of the folders have been titled "Garment making process," "Nike Apparel tools" and "Women's Lifestyle." Another set of folders have been titled with the Chinese language.
The data
(World Leaks)
We've reached out to Nike for comment and we'll update the story if we hear back.
Original story:
Nike is investigating a possible data breach after a hacking group listed the fashion brand as one of its latest victims.
On Thursday, cybersecurity researchers spotted World Leaks posting on the dark web about breaching Nike. It's unclear what they stole; for now, the group’s post shows only a countdown clock, indicating that World Leaks plans to reveal more on Saturday morning.
In response, Nike told PCMag: “We always take consumer privacy and data security very seriously. We are investigating a potential cybersecurity incident and are actively assessing the situation.”
According to cybersecurity firms, World Leaks operates as an extortion group that loots data from companies to force them to pay up, or else it’ll leak the stolen information. The group previously operated as “Hunters International,” and focused on delivering ransomware to encrypt victim computers. But last year, following increased scrutiny from law enforcement, the gang rebranded as World Leaks and pivoted to extortion-only tactics.
“They typically gain initial access through phishing campaigns, compromised credentials, or exploitation of exposed services,” according to cybersecurity vendor Blackpoint Cyber. “Once inside, they perform data discovery and exfiltration, prioritizing confidential corporate or personal information.”
WorldLeaks sites
(Credit: World Leaks)
Still, it’s possible that World Leaks stole inconsequential data from Nike. The group has already listed 114 other victims; it claims to have stolen 1.3TB of data from Dell. But the PC maker says World Leaks merely infiltrated a platform the company uses to demo products to prospective clients. As a result, the hackers were only able to access and steal an outdated contact list.
databreaches.net/
Posted on January 24, 2026 by Dissent
Telehealth provider Call-On-Doc, Inc., dba Call-On-Doc.com, advertises that it has 2 million active patients and treats 150+ medical conditions. It claims to be the most highly rated telehealth service, and it assures patients of “state-of-the-art” data security for their information. But if a post on a hacking forum is accurate, Call-On-Doc recently had a breach that may have affected more than one million patients.
According to a sales listing on a hacking forum, Call-On-Doc was breached in early December, and 1,144,223 patient records were exfiltrated. The types of information reportedly included:
Patient Code, Transaction Number, Patient Name, Patient Address, Patient City, Patient State, Patient Zip, Patient Country, Patient Phone Number, Patient Email Address, Medical Category, Medical Condition, Service / Prescription, Paid Amount
Three screenshots with rows of dozens of patients’ information were included in the listing. An additional .txt file with information on 1,000 patients was also included.
Inspection of the screenshots immediately raised concerns about the sensitive information they revealed. Although some appointments were visits for conditions such as strep infections or other medical conditions, a number of patient records were for the “STD” category (sexually transmitted disease), with the specific type of STD listed in the “Condition” field.
Is Call-On-Doc HIPAA-Regulated?
Call-On-Doc does not accept insurance. It is a self-pay model, and no health insurance information or Social Security Numbers were included in the data. Because it is self-pay, DataBreaches is unsure whether Call-On-Doc is a HIPAA-regulated entity. If it uses electronic transmission for other covered transactions, it might be. But even if it is not a HIPAA-regulated entity, it would still be regulated by state laws and the Federal Trade Commission (FTC).
When HIPAA does not apply, the FTC can investigate and take enforcement action for violations of the FTC Act if there are deceptive or “unfair practices,” such as promising excellent data security for health data or patient information, but failing to deliver it.
A check of Call-On-Doc’s website reveals the following statement in its FAQ:
Q: Is my payment and medical information safe with Call-On-Doc?
A: Absolutely! Call-On-Doc employs state-of-the-art security measures, including our proprietary Electronic Health Record (EHR) system, and is fully HIPAA compliant.
According to the threat actor, they found no evidence of any encryption, and the entity did not detect the attack while it was in progress. HIPAA does not actually mandate encryption, but what “state-of-the-art” security measures did Call-On-Doc use to provide the kind of protection that protected health information (PHI) requires? And have they implemented any changes or additional protections since being alerted to the alleged breach?
Given that patients from many states may be involved, this might be a situation in which multiple state attorneys general collaborate to investigate a breach and an entity’s risk assessment, security, and incident response, including notification obligations.
Notification Obligations and Regulatory Questions
DataBreaches emailed Call-On-Doc’s privacy@ email address on Thursday to ask if it had confirmed any breach. There was no reply.
DataBreaches emailed its support@ email address on Friday. There was no reply.
If these are real data, there are several questions regulators may investigate.
According to the individual who posted the listing and shared additional details with DataBreaches in private communication, the breach occurred in early December. They contacted Call-On-Doc on December 25 to alert them to the breach and to try to negotiate a payment to avoid leaking or selling it. “They contacted me from an unofficial email address. I provided all the evidence and details, but then they stopped responding—basically ignoring me,” the person told DataBreaches.
Regardless of which federal or state agencies may have jurisdiction, if these are real patient data, Call-On-Doc also has a duty to notify patients and regulators promptly. While some regulations or statutes require “without unreasonable delay,” HIPAA has a “no later than 60 calendar days from discovery” deadline, and 19 states have notification deadlines of 30 days. As of publication, DataBreaches cannot find any substitute notice, media notice, website notice, or notification to any state attorneys general or federal regulators.
DataBreaches reminds readers that Call-On-Doc has not confirmed the claims. Even though the patient data appears likely to be real, AI has advanced to the point where threat actors can create datasets that appear legitimate. DataBreaches does not think that is the case here, but can’t rule out that possibility without contacting patients, which this site tries to avoid to spare patients any embarrassment or anxiety. For a small random sample from the 1,000 records file that DataBreaches checked via Google searches, most patients are still at the addresses listed in the 1,000-patient sample. Others could be verified as having lived at the listed addresses in the recent past.
One other detail suggests the data are real: the seller is accepting escrow for the sale, which is usually an indicator that the listing is not a scam.
This post may be updated when Call-On-Doc responds or more information becomes available.
If you were or are a Call-On-Doc patient and have heard from Call-On-Doc about a breach, we’d like to hear from you.
therecord.media
Daryna Antoniuk
January 23rd, 2026
Germany’s Dresden State Art Collections, one of Europe’s oldest museum networks, has been hit by a targeted cyberattack that disrupted large parts of its digital infrastructure, the state of Saxony’s culture ministry said this week.
The attack, discovered on Wednesday, has left the museum group with limited digital and phone services. Online ticket sales, visitor services, and the museum shop are currently unavailable, and payments at museum sites can only be made in cash. Tickets purchased online before the incident remain valid and can still be scanned on site.
Despite the disruption, the museums remain open to visitors. The culture ministry said security systems protecting the collections were not affected and that both physical and technical security remain fully intact.
The Dresden State Art Collections, known as SKD, said it is unclear when all affected systems will be fully restored. As of Friday, the institution was still operating under restrictions, with no new updates on the incident, local media reported, citing an SKD spokesperson.
Officials have not said who carried out the attack or what their motives may have been. It is also unclear whether the incident involved a ransom demand or whether any negotiations with the attackers are underway.
The Dresden State Art Collections oversee about 15 museums, housing works by artists such as Raphael and Rembrandt, as well as the famed Green Vault, one of Europe’s richest treasure chambers, known for its royal jewels and goldwork.
Cultural institutions have increasingly become targets for cybercriminals in recent years. In 2023, Canada’s national art museum spent weeks restoring systems after a ransomware attack, while in 2022 the Metropolitan Opera in New York suffered a cyberattack that disrupted ticketing and box office operations during the busy holiday season.
Major libraries have also drawn the attention of hackers, prompting U.S. officials to launch a program to help such institutions protect themselves from cyberattacks. In 2023, ransomware crippled the systems of the British Library, one of the world’s largest and the national library of the United Kingdom. In Canada, the Toronto Public Library spent months recovering from a ransomware attack, describing the incident as a “crime scene.”
Clothing retailer Under Armour is investigating a recent data breach that purloined customers’ email addresses and other personal information, but so far there are no signs the hackers stole any passwords or financial information.
The breach is believed to have happened late last year, and affected 72 million email addresses, according to information cited by the cybersecurity website Have I Been Pwned. Some of the records taken also included personal information that included names, genders, birthdates and ZIP codes.
In an Under Armour statement acknowledging its investigation into the claims of a data breach, the Baltimore-based company said: “We have no evidence to suggest this issue has affected UA.com or systems used to process payments or store customer passwords. Any implication that sensitive personal information of tens of millions of customers has been compromised is unfounded.”
Have I Been Pwned CEO Troy Hunt said that he agrees with Under Armour’s assertion, based on the information that has emerged so far. But he also said he was surprised by the lack of an official disclosure statement from the company.
