Major Data Breaches and Leaks

• Nova Scotia Power (Canada, May 23): The provincial utility confirmed a “sophisticated ransomware attack” that exposed roughly 280,000 customer accounts. Exposed data included names, birth dates, contact details (email, phone, addresses), power usage, and even government and financial IDs (driver’s license, Social Insurance Numbers, and bank account numbers). The company said no ransom was paid and is assessing the breach.
• Marlboro-Chesterfield Pathology (USA, reported May 22): A North Carolina medical lab revealed that a SafePay ransomware incident in late January affected 235,911 patients. Stolen records included personal identifiers (name, address, DOB) along with medical treatment and health insurance information. The data theft was confirmed to the U.S. Dept. of Health and Human Services, and SafePay has claimed credit for the attack.
• Coinbase (USA, reported May 21): The cryptocurrency exchange disclosed that at least 69,461 customer accounts were breached in a multi-month attack. Attackers stole names, email/postal addresses, phone numbers, government IDs, and even account balances and transaction histories. Coinbase said a rogue contractor had extorted them for $20 million (which was refused); the breach was reported to several state and federal authorities, and the data was exposed without payment of any ransom.

Significant Cyberattacks and Incidents

• Kettering Health (USA, May 20): A ransomware attack hit Kettering Health (an Ohio hospital network) on May 20, triggering a system-wide outage across 14 medical centers. Elective procedures were canceled, call centers went offline, and patient portals (MyChart) were inaccessible. Emergency departments remained open, and contingency plans were enacted. (News reports show the incident involved an Interlock ransomware demand, but Kettering declined to comment on ransom or attribution.)
• Cellcom (USA, mid-May): Wisconsin-based wireless carrier Cellcom confirmed that a “cyber incident” caused a week-long outage of voice and text services across its network. Over several days starting mid-May, customers in Wisconsin and Michigan saw voice/SMS service disrupted. Cellcom said no customer personal data was stolen (the attack only hit a network segment without sensitive data). Service began to be restored gradually by week’s end, with full recovery expected soon. The company worked with external cybersecurity firms and authorities to investigate.

Critical Vulnerabilities and Patches

• AutomationDirect MB-Gateway (CVE-2025-36535): CISA and researchers disclosed a critical flaw (CVSS 10.0) in AutomationDirect’s industrial MB-Gateway devices. The bug is a complete authentication bypass in the device’s embedded web server, allowing attackers on the internet to fully control the gateway without credentials. Over 100 exposed devices are affected; AutomationDirect advises replacing MB-Gateway models or blocking internet access.
• VMware Cloud Foundation (CVE-2025-41229): Broadcom/VMware issued emergency patches on May 20 for a set of flaws, led by CVE-2025-41229 (CVSS 8.2). This is a directory-traversal vulnerability in VMware Cloud Foundation (affecting vCenter and ESXi), exploitable by anyone with network access to port 443. VMware also fixed additional info-disclosure and RCE bugs in vCenter/ESXi (e.g. CVE-2025-41225, CVSS 8.8). Administrators are urged to upgrade immediately (e.g. to Cloud Foundation 5.2.1.2) as no workaround exists.
• Ivanti Endpoint Manager Mobile (CVE-2025-4427, CVE-2025-4428): Security firm Wiz reported active exploitation of two Ivanti EPMM flaws. CVE-2025-4427 (authentication bypass) and CVE-2025-4428 (post-authentication RCE) were patched by Ivanti on May 13. Researchers warn that attackers chain these “medium”-rated bugs to achieve unauthenticated remote code execution. Actual exploit campaigns were observed starting May 16, using the vulnerabilities to implant malware (e.g. Sliver beacons) on affected systems. Organizations are advised to update EPMM to the latest patched versions immediately.
• Commvault Metallic SaaS (CVE-2025-3928): CISA issued a warning (May 22) about exploitation of a Commvault SaaS backup flaw. CVE-2025-3928 (CVSS 8.7) is a critical directory-traversal/portal flaw in Commvault’s Azure-hosted Metallic backup service. Commvault patched it in late Feb. 2025, after Microsoft warned it was used as a zero-day by suspected state-sponsored actors. Attackers reportedly stole credentials for some Microsoft 365 backup tenants, gaining access to those customer environments. CISA added this CVE to its Known Exploited list and advised customers to rotate affected keys, apply patches, and audit M365/backup security.

Government and Industry Cyber Responses

• Russia’s GRU Campaign (May 21): On May 21, the U.S. NSA, FBI, UK NCSC, German BSI and others issued a joint advisory warning that Russia’s military cyber unit (GRU) has been targeting Western logistics and tech companies involved in aid to Ukraine. The advisory (AA25-142A) details the GRU’s persistent espionage techniques and encourages affected organizations to apply mitigations and share intelligence.
• Commvault/Microsoft Advisory (May 22): CISA and FBI warned of ongoing exploitation of the Commvault SaaS flaw (CVE-2025-3928) noted above. The alert urged Commvault customers to assume compromise if credentials were exposed and to implement specific mitigations (rotate secrets, enable conditional access, etc.).
• LummaC2 Infostealer (May 21): The FBI/CISA released a joint advisory (AA25-141B) on LummaC2 – a widespread “infostealer” malware used to harvest browser data, credentials and crypto keys. The guidance shares IoCs from the global campaign (Nov 2023–May 2025) and recommends steps (e.g. phishing vigilance, browser security) to defend against this malware. Separately, international law enforcement reportedly seized much of LummaC2’s infrastructure this week – taking down ~2,300 malware domains and disrupting its command network.
• Operation RapTor (May 22): The U.S. DOJ announced the takedown of a major darknet drug network (Operation RapTor) on May 22. This worldwide effort (involving FBI, Europol, and other agencies) led to 270 arrests across 10 countries and seizures of over $200 million, 2 tons of narcotics and 180 firearms. Although focused on drugs, the operation underscores global law enforcement pressure on cyber-facilitated crime.
• Industry Alerts: Security vendors and ISACs also responded. For example, Wiz Research (in partnership with CISA) released technical details and mitigations for the Ivanti and Commvault exploits noted above. Companies continued to rely on government regulations and guidance (e.g. complying with data breach notification laws and federal cybersecurity directives) and on private cyber-insurance or MDR services as part of their post-incident responses.

Miscellaneous Developments

• Nation-State Threat Trends: Analysts note persistent nation-state activity. GovTech columnist Dan Lohrmann (May 25) highlighted a “midyear” assessment: Russian, Chinese, Iranian and North Korean cyber actors remain the top threats to U.S. infrastructure and allies. Attacks on supply chains, election systems, and critical infrastructure (as seen in this week’s advisories) are expected to continue through 2025.
• Events and Reports: On May 22 the 3rd Annual Austin Cybersecurity Summit convened IT security leaders for panels on threat mitigation and cyber resilience. Topics included incident response planning and emerging threats (ransomware, phishing, APTs). Elsewhere, private-sector threat reports (e.g. monthly vendor reports) noted ongoing trends like cloud misconfiguration attacks and AI-assisted phishing, emphasizing the need for multi-layer defense.

Conclusion

This week’s news underscores that cyber threats remain high and diverse. Ransomware continues to disrupt critical services (healthcare and utilities), while large breaches target both consumer platforms (crypto exchanges) and healthcare providers. Newly patched vulnerabilities span industries – from cloud and virtualization to industrial controls – showing that attackers are probing all layers of infrastructure. Government and law-enforcement responses (from CISA advisories to international takedowns) have been swift, but the fast pace of disclosures and exploits means organizations must stay vigilant.

Key takeaways: Ensure systems are promptly patched (especially for critical CVEs), apply network segmentation and strong access controls (to limit ransomware spread), maintain regular backups and incident-response plans, and monitor for unusual activity (including leaked credentials or abnormal DNS entries). Multi-sector cooperation (public/private) is increasing, but so is the sophistication of threat actors. CISOs and IT leaders should reinforce basic cyber hygiene (phishing training, MFA, logging) and prepare for both nation-state and criminal cyber campaigns to remain active in the months ahead.

Sources

• SecurityWeek – News articles on breaches, attacks, and vulnerabilities:

  • Nova Scotia Power breach
  • Marlboro-Chesterfield Pathology breach
  • VMware patch bulletin
  • Ivanti vulnerabilities
  • Commvault vulnerability

• TechCrunch (May 21, 2025) – Coinbase breach disclosure

• XTalks (May 22, 2025) – Kettering Health ransomware incident report

• U.S. CISA – Official advisories on threats (AA25-141B LummaC2, AA25-142A Russian GRU, etc)

• U.S. Department of Justice (May 22, 2025) – Operation RapTor press release

• GovTech (May 25, 2025) – Analysis of nation-state cyber threats

• Cybersecurity Summit – Event details for Austin summit (May 22, 2025)