#data-breach

#data-breach

Privacy watchdogs in Ontario and Alberta issued their findings Tuesday after investigating a mass data breach of a student information system used across Canada, concluding that school boards lacked adequate breach response plans, among other issues. Ontario's privacy commissioner says PowerSchool, a software and storage company for school systems in the U.S. and Canada, was a victim of a cyberattack and ransom threat in December 2024 that compromised the data of current and former students, parents and staff.

The researcher, Jonathan Clark, says he knows this for a fact because he reported the attack to Coinbase on January 7 after the criminals tried to scam him. According to Clark, Coinbase's Head of Trust and Safety Brett Farmer responded to his "comprehensive security report" the same day he emailed it to the company's security@ address. In a blog about the incident, Clark says Farmer replied: "This report is super robust and gives us a lot to look into. We are investigating this scammer now."

A person claiming to be one of the University of Pennsylvania hackers says that about "1.2 million lines of data" will be kept private for the group to sell before it is made public. The group also plans to make other documents public. In comments to The Verge, the hacker or hackers distanced themselves from earlier hacks of other private universities including Columbia - which were aimed at demonstrating colleges had maintained unlawful pro-diversity policies.

Today's reminder of the insider threat comes to us from the National Health Service in the U.K. Craig Meighan and Billy Gaddi report: A woman has been charged after Scots patients had their private medical records accessed during an NHS data breach. Reports suggest around 100 patients in NHS Lothian could have had their records accessed as a result of the incident. The health board said it discovered patients in the region may have had their information "inappropriately accessed" during routine monitoring.

On 9 October 2025 the Federal Court of Australia (the Court) imposed an AU$5.8 million civil penalty on Australian Clinical Labs Limited, one of Australia's largest private hospital pathology service providers (the Company), for systemic failures that led to the unauthorised access to and exfiltration of the sensitive personal information of more than 223,000 individuals.

While scanning for unsecured databases at the end of September, an ethical security researcher stumbled upon the exposed cache of data and discovered that it was part of a site called DomeWatch. The service is run by the House Democrats and includes videostreams of House floor sessions, calendars of congressional events, and updates on House votes. It also includes a job board and résumé bank.

An unencrypted, non-password-protected database was discovered by Cybersecurity Researcher Jeremiah Fowler. This database contained files from an email marketing platform and held approximately 40 billion records (13 TB). The records appeared to belong to Netcore Cloud Pvt. Ltd (Netcore), an India-based company providing marketing services. Fowler sent a message to Netcore to inform them of the exposure, and the database was restricted the same day.

"Finding a 4TB SQL backup exposed to the public internet is like finding the master blueprint and the physical keys to a vault, just sitting there," it said. "With a note that says 'free to a good home.' [The lead researcher had] investigated breaches that started with less. Way less. He once traced an entire ransomware incident back to a single web.config file that leaked a connection string. That was 8 kilobytes. This was four terabytes.

on the unindexed internet.

A spokesperson for Apple told Business Insider that both apps were removed for not meeting "requirements around content moderation and user privacy, in addition to receiving an excessive number of user complaints and negative reviews - including complaints of minors' personal information being posted in the apps." The spokesperson added that for Apple, the general approach after discovering a violation is to communicate with the app developer to bring the platform up to standard.

Anti-fraud nonprofit Cifas was left red-faced after sending out a calendar invite that exposed the email addresses of dozens of individuals working across the fraud space. The invite was sent in August to a session scheduled for October 16 about the organization's JustMe app, which allows individuals to confirm if applications made in their name are genuine. Over a dozen addresses were exposed in the To field, with another 45 in the CC field, according to the message.

On October 16 and 17, the ScatteredLAPSUS$Hunters Telegram channel repeatedly violated Telegram's TOS by leaking personal information on people - and in this case, information on employees of the Department of Justice (DOJ/FBI), U.S. Attorneys Office (DOJ/USAO), the Department of Homeland Security (DHS), and the Federal Aviation Authority (FAA). DataBreaches did not report on it at the time precisely because the files were still exposed. Instead, DataBreaches contacted Telegram to inquire why the channel hadn't been banned again for leaking sensitive information about government employees.

More than 17 million individuals were likely impacted by a data breach at peer-to-peer lending marketplace Prosper, data breach notification service Have I Been Pwned warns.Prosper disclosed the incident last month, noting that hackers accessed its network and stole confidential, proprietary, and personal information from its systems. According to the US-based company, the attackers queried its database containing customer information and applicant data to exfiltrate the information, but did not access user accounts.

In August, the New York State Department of Financial Services reached agreement with Healthplex, Inc., a licensed insurance agent and independent adjuster, to pay a $2 million civil penalty after a hacker executed a phishing attack on an employee's email and gained access to the private health data and sensitive nonpublic information of tens of thousands of Healthplex consumers. Eight years in the making, the final phase of New York's groundbreaking Cybersecurity Regulation Part 500 takes effect Nov. 1.

If you're a current or former AT&T customer, the deadline to file a claim to be part of the $177 million class-action settlement over two major data breaches has been extended. The breaches -- one dating back to 2019 and a second in 2024 -- exposed Social Security numbers, call and text records, names, addresses, dates of birth, and more.

A database was found to be without password protection or encryption, exposing approximately 180,000 records (178,519 files) containing PII and payment data. This database was discovered by Jeremiah Fowler, a Cybersecurity Researcher and was initially reported to Website Planet . In an examination of the exposed files, Fowler identified invoices that contained personally identifiable information (PII). Sensitive data in these invoices included, but was not limited to: These invoices belonged to employees, customers, service providers and partners globally.

The Qantas data, which was stolen from a Salesforce database in a major cyber-attack in June, included customers' email addresses, phone numbers, birth dates and frequent flyer numbers. It did not contain credit card details, financial information or passport details. On Saturday the group marked the data as leaked, writing: Don't be the next headline, should have paid the ransom.