Major Data Breaches and Leaks
Kering (Luxury Brands Owner) – Parent company of Gucci, Balenciaga, Alexander McQueen and others confirmed a massive breach affecting several of its luxury houses. Hackers (the ShinyHunters group) accessed 7.4 million customer records containing names, contact details, and spending amounts, though Kering says no payment or ID data was stolen. The intrusion occurred in April but was only disclosed after hackers publicized the stolen data, underscoring the delayed discovery and disclosure of the incident.
Stellantis (Auto Maker) – Unauthorized access to a third-party customer service platform for Stellantis’ North America division potentially exposed customer contact information (e.g. names, emails, phone numbers). Stellantis stated that no sensitive personal or financial data was stored on the affected system or accessed in the breach. The company has notified customers and is investigating with the service provider.
SonicWall (Security Vendor) – Cloud backup breach: Attackers infiltrated SonicWall’s MySonicWall cloud service and stole firewall configuration file backups for under 5% of customers. The files included encrypted credentials and network configuration data, which could help attackers target those firewalls. SonicWall said no ransomware was involved – the attack consisted of brute-force attempts to access backup files – and it urged impacted users to reset passwords and enable MFA as a precaution.
Significant Cyberattacks and Incidents
Jaguar Land Rover – Ransomware Halts Production: A cyberattack forced automaker JLR to shut down its factories worldwide, with production paused for weeks. Initially disclosed on Sept. 2, the incident severely disrupted manufacturing, and JLR extended the shutdown to at least Sept. 24 as it investigated. The company first claimed no data theft, but later confirmed hackers stole some corporate data. A group affiliating itself with Scattered Spider/Lapsus$ claimed responsibility, highlighting the threat of social-engineering-driven ransomware; law enforcement in the U.K. and U.S. are involved as JLR works to safely restore operations.
Airports Hit via IT Vendor – Collins Aerospace: A suspected ransomware attack on Collins Aerospace (an RTX subsidiary providing airport self-service check-in software) disrupted passenger services across major European airports – including London Heathrow, Brussels, Berlin, and Dublin. Starting Friday night (Sept. 19), the outage crippled check-in and baggage systems, causing thousands of travelers to face long lines, flight delays, and cancellations over the weekend. EU cybersecurity agency ENISA confirmed a “third-party ransomware incident” and identified the ransomware strain (not publicly named). Airports resorted to manual check-ins while Collins raced to restore systems, underscoring the cascading impact of supply-chain cyber incidents on critical infrastructure.
U.S. School District Closed – Uvalde Ransomware: The Uvalde Consolidated Independent School District in Texas canceled classes for four days (Sept. 15–18) after ransomware infiltrated its servers, knocking out essential systems – including phone lines, building access controls, security cameras, and student management platforms. Officials described it as a “significant technology incident” impacting safety infrastructure. The district notified the FBI and cybersecurity specialists, and launched a forensic investigation to determine if any sensitive student or staff data was compromised. The incident, occurring just weeks into the school year, highlights the continued cyber threat to K-12 education and the importance of cyber resilience in schools.
npm Supply-Chain Worm – “Shai-Hulud”: Researchers revealed an ongoing supply chain attack on the npm package ecosystem that had compromised at least 187 packages by Sept. 16. Dubbed “Shai-Hulud,” the attack began by infecting a widely used color library (with 2 million weekly downloads) and then spread worm-like to other packages maintained by the same authors. Notably, some malicious updates were published under the CrowdStrike namespace on npm. The injected code used tools like TruffleHog to steal secrets and automatically propagate to more projects. CrowdStrike said it swiftly removed the rogue packages and rotated keys. This incident underscores the supply-chain risks in open-source and the need for vigilance when updating software dependencies.
Healthcare Data at Risk – KillSec in Brazil: A ransomware gang “KillSec” attacked MedicSolution, a Brazilian cloud software provider for clinics, exfiltrating 34+ GB of patient data (94,000+ files) including lab results, X-rays, and records – even data on minors. The breach, claimed on Sept. 8, was traced to insecure AWS S3 buckets that left data exposed. KillSec threatened to leak the sensitive healthcare information unless paid. Security researchers warned this compromise of a medical IT provider could impact many clinics relying on its services, illustrating how attacks on a tech supplier can jeopardize data across multiple healthcare organizations. MedicSolution and authorities are working to contain the damage while affected clinics notify patients.
Critical Vulnerabilities and Patches
CVE-2025-10585 – Google Chrome 0‑day: Google pushed an emergency Chrome update after discovering a high-severity zero-day vulnerability (type confusion in the V8 JavaScript engine) actively exploited in the wild. Tracked as CVE-2025-10585, the bug has a public exploit, suggesting attackers were using it before the patch. Users on Windows, macOS, and Linux were urged to update to Chrome version 140.0.7339.185/.186, which fixes the issue. This is Chrome’s sixth exploited zero-day of 2025, often linked to spyware campaigns targeting high-risk users, underlining the importance of prompt browser updates.
CVE-2025-43300 – Apple Image I/O Flaw: Apple released patches for older iPhones and iPads (iOS/iPadOS 15 and 16 series) to backport a fix for a zero-day bug (CVE-2025-43300) in its Image I/O framework. The vulnerability, an out-of-bounds write when processing images, was previously patched in August for iOS 18 and macOS after being used in “extremely sophisticated” attacks against a small number of targeted individuals. Apple warned that processing a malicious image could lead to code execution, and noted the exploit was part of a chain (with a WhatsApp zero-day CVE-2025-55177) used in a spyware campaign. Users of older devices are advised to install the updated OS versions that include the improved bounds-checking.
CVE-2025-55234 – Microsoft Windows/SMB: Microsoft’s September patch bundle (released earlier in the month) addressed CVE-2025-55234, a Windows SMB client vulnerability rated Important (CVSS 8.8) that is notable because it can be exploited remotely despite being labeled a privilege-escalation flaw. The bug, which was publicly known prior to the patch, allows an attacker with network access to perform a “relay” attack and gain SYSTEM privileges, potentially leading to code execution on the target. Microsoft urged organizations to apply this patch given the likelihood of exploitation, and security experts highlighted it as a reminder that even non-zero-day flaws in fundamental protocols like SMB can pose serious risks if left unpatched.
CVE-2025-54236 – Adobe Commerce (Magento): Adobe released an out-of-band hotfix (APSB25-88) on Sept. 9 to fix a critical improper input validation bug in Adobe Commerce/Magento, identified as CVE-2025-54236. The flaw (nicknamed “SessionReaper” by researchers) could allow an unauthenticated attacker to take over customer accounts via the Commerce REST API. While Adobe found no evidence of in-the-wild abuse, the company deployed Web Application Firewall rules for cloud-hosted stores as a temporary protection. Merchants were urged to promptly apply the provided patch to fully remediate the issue, as simply relying on WAF mitigations is insufficient. This case highlights the urgency of patching e-commerce platforms to prevent account hijacking attacks.
Government and Industry Cyber Responses
UK’s MI6 Opens Dark Web Recruiting: Britain’s foreign intelligence service (MI6) launched a secure dark web “onion” site called Silent Courier to encourage would-be informants worldwide to contact the agency anonymously. Announced by MI6 Chief Richard Moore on Sept. 19, the Tor-based portal lets people with information on terrorism or hostile state activities reach MI6 without revealing their identity. The UK joins the CIA and major news organizations in using dark-web platforms to protect sources. Officials said this initiative, accompanied by how-to-access videos in multiple languages, is a “virtual open door” for global spies and reflects efforts to modernize intelligence-gathering.
Brazil Enacts Online Child Safety Law: Brazilian President Luiz Inácio Lula da Silva signed a sweeping new digital law on Sept. 18 that requires online services to verify users’ ages and bolster privacy protections for minors. Dubbed the “Digital ECA,” the law forces tech companies to implement “reliable” age verification (simple self-declaration is no longer enough) and to enable parental supervision features on platforms. It also bans using children’s data for targeted ads and mandates blocking under-18 users from content about violence, pornography, drugs, gambling, or self-harm. This is Latin America’s first law dedicated to children’s online privacy and safety, reflecting a global trend toward stricter regulation of Big Tech in the interest of child protection.
U.S. Public Sector Urges Cyber Support: A coalition of U.S. state and local government organizations (including the National Governors Association, National Association of Counties, and others) pressed Congress to restore federal funding for the Multi-State Information Sharing and Analysis Center (MS-ISAC). In a joint letter, they warned that recent federal budget cuts to MS-ISAC – a key resource for cyber threat monitoring and incident response in the public sector – leave smaller municipalities dangerously exposed. The groups noted MS-ISAC helped thwart tens of thousands of attacks in 2024, and argued that without federal support, under-resourced communities will struggle to defend against cyber threats. This advocacy comes amid a surge in ransomware hitting city and county governments, highlighting the need for sustained public-sector cybersecurity funding.
Crackdown on Scattered Spider: Law enforcement on both sides of the Atlantic stepped up actions against the notorious Scattered Spider hacking group. In Las Vegas, police announced a juvenile suspect tied to last year’s MGM Resorts and Caesars Entertainment breaches turned himself in on Sept. 17 and now faces charges including computer fraud and extortion. Meanwhile, in Europe, a 17-year-old was arrested in the UK for the MGM attack, and just last week a UK national was arrested in London and charged in the U.S. for involvement in over 120 Scattered Spider-related attacks. These developments follow the group’s claim of the recent Jaguar Land Rover hack. The arrests demonstrate increasing international coordination to identify and prosecute cybercriminals, though the group’s diffuse affiliate model continues to pose challenges.
Miscellaneous
YouTube Star Violates Kids’ Privacy: An industry watchdog found that popular YouTuber MrBeast (Jimmy Donaldson) improperly collected data from children in violation of privacy standards. The Children’s Advertising Review Unit (CARU) reported that MrBeast’s online sweepstakes asked participants (many under age 13) to submit personal info (full name, address, phone, email) to enter – without any parental consent mechanism. The data was then shared with third parties for marketing, potentially breaching COPPA (U.S. children’s online privacy law). In response, MrBeast’s team worked with CARU to overhaul his data collection and advertising practices, though they publicly disagreed with some of the findings. The case highlights growing scrutiny of influencers’ compliance with child privacy rules.
Russian APTs Team Up in Ukraine: Cybersecurity researchers revealed a rare collaboration between two FSB-linked Russian spy groups, Turla and Gamaredon, in operations against Ukraine. Slovak firm ESET observed instances where Gamaredon (a prolific Russian state hacker active in Ukraine) and Turla (an elite espionage group) both breached the same Ukrainian networks, with Turla even using Gamaredon’s foothold to deploy its own backdoor. In one case Turla remotely restarted its malware via a Gamaredon implant. This is the first documented technical link between these two APTs, indicating an unprecedented level of coordination between separate Russian espionage units. Analysts suggest Gamaredon may be providing initial access for Turla to exploit high-value targets, underscoring the evolving tactics in the Russia-Ukraine cyber conflict.
Ransomware Gangs Proliferate: New industry research shows the ransomware ecosystem has splintered into a record number of groups following law enforcement crackdowns on major gangs. Malwarebytes tracked 41 new ransomware crews emerging over the past year (July 2024–June 2025), with over 60 groups active concurrently – the highest ever observed. Many are rebrands or offshoots of busted gangs, enabled by leaked code and readily available tools. Experts say takedowns of giants like LockBit and Hive destroyed their infrastructure but often failed to nab the perpetrators, who simply launched or joined new smaller operations. This fragmentation means no single group dominates: the top 10 gangs now account for only ~50% of attacks (down from 69% two years ago) as dozens of mid-sized players thrive. The trend underscores that while big RaaS syndicates are being disrupted, the threat has become more diffuse, challenging defenders to monitor a wider range of actors.
Conclusion
Resilience Amid Ransomware: This week’s incidents reinforce that ransomware can cripple operations across sectors – from car factories and airports to schools. Organizations should ensure robust business continuity plans, data backups, and network segmentation so they can maintain critical functions and recover quickly if attacked. Regular drills and employee cyber awareness (to resist phishing and social engineering) are key lessons as threat actors increasingly target operational technology and supply chains.
Patch Urgently, Patch Often: The flurry of critical vulnerabilities (in Chrome, Apple devices, Windows SMB, Adobe Commerce, etc.) highlights the importance of timely patch management. Many of these flaws were actively exploited or severe enough to warrant emergency fixes. Enterprises and end-users alike must prioritize updates – especially for internet-facing software – and consider advanced defenses (like threat intelligence monitoring and virtual patching) given the narrow window before exploits emerge.
Third-Party Risk & Data Hygiene: Major breaches at Kering, Stellantis, and SonicWall this week show that even well-resourced firms are vulnerable via third-party platforms and cloud services. It’s crucial to vet and monitor vendors’ security and to limit the data you entrust to them. Stolen customer data (even “just” contact info or purchase history) can fuel fraud and phishing, so breached organizations need transparent disclosure and support for affected individuals (e.g. phishing education, credit monitoring). Data minimization – not collecting or retaining unnecessary personal data – can reduce the impact if a leak occurs.
Stronger Defense Ecosystem: On the positive side, we saw robust responses from the cybersecurity community: government agencies are innovating (MI6 on the dark web), lawmakers are enacting new protections (Brazil’s online safety law), and international law enforcement cooperation is yielding arrests of major cybercrime suspects. These efforts, combined with industry initiatives (like MS-ISAC support and watchdog enforcement of privacy rules), are vital to shifting the balance against attackers. Going forward, organizations should stay engaged with these public-private partnerships, comply with evolving regulations, and invest in security frameworks that align with the higher standards being set globally.
Sources
KrebsOnSecurity – Expert cybersecurity blog (Brian Krebs)
The Record (Recorded Future News) – Cybersecurity news outlet (in-depth reporting and briefs on breaches, attacks, and policy)
Dark Reading – Industry news site focused on threats, breaches, and vulnerabilities
Cybersecurity Dive – News outlet covering major cyber incidents and business impacts
BleepingComputer – Security news and tech support site (coverage of zero-days, malware, etc.)
Cybernews – Cybersecurity news and research (provided details on the Kering luxury breach)
SecurityWeek – Cybersecurity news (industry developments and technical analysis)
The Hacker News – Security news (reports on new vulnerabilities, patches, and exploits)
CyberScoop – News site for cybersecurity policy, government, and enterprise news
Bank Info Security – Media outlet covering data breaches, regulatory actions, and infosec trends
CrowdStrike (Blog/Reports) – Threat research reports and analysis from CrowdStrike’s intelligence team
Cybersecurity Ventures – Research publisher (cyber economics, trends, and statistics reports)