NATHAN AUSTAD, one of three people indicted for hacking DraftKings in 2022 has now been sentenced to 18 months in prison. In April, a second man, KAMERIN STOKES, a/k/a “TheMFNPlug,” was sentenced to 30 months in prison for his role, while JOSEPH GARRISON was sentenced in 2024 to 18 months: United States Attorney for the...

Source

Joseph Cox reports: The hackers that stole a large cache of data from Madison Square Garden called a low level employee and tricked them into letting the hackers into MSG’s systems, according to the hackers and 404 Media’s review of the stolen data. …  404 Media downloaded the full 45GB data dump and found the...

Source

Bill Toulas reports: Tata Electronics has confirmed in a statement to BleepingComputer that it was the target of a cyberattack that impacted parts of its IT infrastructure. The company emphasizes that its operations continued to run normally and were not affected by the incident. […] While Tata Electronics has not disclosed the threat actor’s identity,...

Source

Password manager LastPass is still dealing with the settlement from its 2022 data breach (see Related Posts, below, for background on that), but now it has another breach to disclose. Zack Whittaker reports: Password manager maker LastPass is notifying customers that their personal information and customer support case records were stolen during a recent hack...

Source

Two members of Scattered Spider, who were arrested in 2024 and 2025, have reportedly changed their pleas to guilty just before their trials were set to begin. Victoria Collins reports: Two men have pleaded guilty to offences in connection with a massive cyber attack which caused Transport for London (TfL) months of disruption and cost...

Source

Lawrence Abrams reports: Market intelligence platform Klue has publicly confirmed a recent security incident that allowed threat actors to steal OAuth tokens used to connect to customers’ Salesforce environments, as the new “Icarus” extortion group publicly claims the attack. The disclosure comes after cybersecurity firms Huntress and ReliaQuest detailed how attackers abused compromised Klue Battlecards integrations to steal Salesforce...

Source

Aimee Turner reports: Jaguar Land Rover ordered all 30,000 employees to reset their passwords in person following a cyberattack that raised concerns staff credentials had been compromised. Speaking at Infosecurity Europe, former Jaguar Land Rover chief information security officer Ashish Shrestha revealed the company required employees to physically verify their identity before resetting passwords after...

Source

Elaine Blackburne reports: Hotel guests have been warned to stay alert for convincing fraudulent messages following a data breach at a major hotel chain. Personal information belonging to individuals with reservations at one of the chain’s properties was compromised over a six-month period. BWH Hotels, the parent company behind WorldHotels, Best Western Hotels & Resorts,...

Source

DataBreaches has been impressed by South Korea’s response to data breaches ever since reading about how its financial regulator responded to three credit card companies whose customers suffered a major data leak. Unlike any enforcement action DataBreaches had ever seen levied here in the U.S., the firms had their ability to enroll new customers suspended...

Source

Buranond Kijwatanachai reports: Private personal information of nearly 11 million people may have been leaked after a Kyushu power company lost a storage drive earlier this year. According to Asahi Shimbun, the storage drive was discovered missing on 26 May. The company insists that sensitive financial information was not leaked. On 27 April, a contractor for...

Source

Waqas reports: Meta has disclosed a security incident involving an Instagram account recovery tool after attackers used a flaw to send password reset links to email addresses that were not connected to the targeted accounts. According to a data breach notice filed with the Maine Attorney General’s Office, Meta Platforms said the issue affected 20,225 people in...

Source

Tiffany Wang reports: IBM and AT&T lacked basic security controls and hid nation-state hacking breaches from the government, a former IBM threat intelligence official alleged in a newly unsealed lawsuit. Former IBM Vice President of Threat Intelligence William Barlow claimed the companies did not keep logs for AT&T-managed VPN connections into IBM cloud services and...

Source

This is what incident response and accountability should look like in the U.S., too, but almost never does.  The Chosun Daily reports: OTT platform Tving, TVING, has faced controversy over leaking members’ personal information, with its representative director personally apologizing. On the afternoon of the 3rd, Tving’s CEO Choi Joo-hee stated, “We sincerely apologize for...

Source

Zack Whittaker reports: A website called UK Visa Portal is publicly exposing the passports and selfie photos of applicants who signed up and paid the site to obtain a U.K immigration visa, TechCrunch has learned. An anonymous person notified TechCrunch about the security lapse, saying that the website is exposing at least 100,000 documents from...

Source

Rhode Island residents may understandably wonder about the state’s vendor security monitoring. First, it was the Deloitte and the RIBridges data breach that affected more than 730,000 residents. Now the vendor that administers the state’s workers’ compensation insurance has disclosed a breach affecting 131,000 residents, including 4,500 former and current state employees. Alexander Castro reports:...

Source

Oprah Flash reports: “Violated” and being “unable to trust” have been the feelings plaguing victims of a cyber attack on a Midlands-based water company. The personal data of 633,887 people was stolen and published on the dark web, after South Staffs Water was hacked in 2020. Customers said they faced a deluge of scam emails...

Source

Lorenzo Franceschi-Bicchierai reports: Phone provider Trump Mobile has confirmed that it was exposing customers’ names, email addresses, mailing addresses, cell numbers, and order identifiers to the open internet. Chris Walker, a spokesperson for the Trump-branded phone maker, told TechCrunch that the company is investigating the exposure and has not found evidence that content or financial...

Source

Claim Depot reports: Extant Aerospace, a defense and space electronics company based in Melbourne, Florida, disclosed a data breach that affected 3,012 individuals in the United States. The company, legally known as Symetrics Industries LLC, manufactures and supplies complex electronic assemblies for the Department of Defense and international customers for both military and commercial use. On...

Source

Dalbir Singh & Associates ignored multiple attempts at responsible disclosure but finally locked down its misconfigured Amazon bucket, only to expose it again. Now the data is in the hands of criminals trying to extort them.  On April 6, DataBreaches reported on a misconfigured Amazon bucket belonging to an immigration law firm in New York....

Source

Maxine Brigue reports: The Information Commissioner’s Office (ICO) has fined utility company South Staffordshire Water £963,900 after a cyber attack that resulted in users’ personal information being extracted and published on the dark web. The fine was issued last week (7 May) after a cyber attack ran from September 2020 to July 2022 and exposed the data...

Source